On Fri, Oct 13, 2017 at 5:57 AM, Walter Alejandro Iglesias <[email protected]
> wrote:
Perhaps the existence of PermitRootLogin directive is redundant at this
point or
ought to be deprecated, and the docs should suggest using other Option
directives? :-)
Or..... how is this meant to provide additional functionality above and
beyond directives that
can be used to restrict authentication types for all connections
regardless of login name?
AuthenticationMethods publickey,keyboard-interactive
Match User root
AuthenticationMethods publickey
The [AuthenticationMethods] directive can also specify that a
Non-Password based Method
must be used PLUS a Password-based method... thus avoiding the
possibility of an
unintentional backdoor through an .ssh/authorized_keys key file, by
making sure the root
password is always required, And reducing the likelihood that a SSH
secret key
is stolen and then used to surreptitiously login as root, So.....
AuthenticationMethods publickey password,keyboard-interactive
Can be seen as stronger security than "PermitRootLogin prohibit-password"
There's no "PermitRootLogin require-BOTH-publickey-and-a-password"
> In sshd_config(5), to avoid confusion with PermitRootLogin options.
>
> Original:
>
> If this option is set to *prohibit-password* or *without-password*,
> password and keyboard-interactive authentication are disabled for
> root.
>
> Proposed:
>
> If this option is set to *prohibit-password* (renamed from
> *without-password* to avoid ambiguity, both valid) only non
> keyboard-interactive authentication (public-key, hostbased and GSSAPI)
> is allowed for root.
>
>
--
-JH
