OpenSSH - disallowing root login

[nico911]

I'd like to disallow direct root login to the server.
However he should be allowed to execute certain set of commands via ssh.
I've done it using PermitRootLogin=forced-commands-only option.
I solved the problem with remote commands execution with root privileges, but I don't know how to make scp working with this option
I searched many forums, but I found, that there's no direct way to make scp working with PermitRootLogin=forced-commands-only.
Do you have any ideas?

Thanks
Niko

[anomie]

Are you willing to set up pubkey authentication for root? If so, in sshd_config set:

• PermitRootLogin without-password
• ChallengeResponseAuthentication no

That will stop password authentication for root, and it should enable interactive session and scp commands using the pubkey authentication.

Don't forget to restart / reload sshd after making the changes.

[nico911]

Yes, root login should be allowed using pubkey authentication.

But using settings you suggested, my problem has been solved (scp works fine), but root can login without password (simply: ssh root@hostname) from any account, which is highly dangerous.

When I set:

• PermitRootLogin yes

scp also works and root can't login without password.
But the problem is, that I have to disallow direct root logins to the remote machine.

[anomie]

but root can login without password (simply: ssh root@hostname) from any account, which is highly dangerous.

I agree - that sounds dangerous. But that's not what I was suggesting that you do. The private key should be only in root's home directory. Then only he can log in using his key pair.

[nico911]

The problem is, that in authorized_keys file there're many public keys as many users can login using pubkey authentication.

What I observed was quite strange.
I set:

• PermitRootLogin without-password

Then did su to non-privileged user (nico), which was allowed to login to the remote host via ssh+pubkey and then typed:

Code:

#ssh root@remotehost

And after that I logged to the remote host as root. The private key used to login was taken from the nico's home directory, but I don't know why ssh allows to login as a root from any account.

Anyway I solved my problem in different way.
I set:

• PermitRootLogin yes

but additionally specified the list of user@host (AllowUsers), which can login as a root. The problem was, that I wanted to dissallow root login from the outside of the internal network and this configuration does the work.

Thanks for help.

[anomie]

The PermitRootLogin without-password directive does not work that way. All it does is disable password authentication for root. (It does not enable non-privileged users to login as root remotely.)

The command line snippet you posted contains a #, which is a root shell.

I'm not exactly sure why you were seeing the behavior you were; it doesn't make sense. Let me know if you want to pursue it further.

[nico911]

This # was just an indicator of a shell prompt, I didn't want to insert whole prompt. Now I see I should have put e.g. $, # might be a little confusing.

The behaviour I observed was really strange for me, but I didn't have enought time to analyze why it happened.
Anyway I needed to find any solution as quick as possible (as usual ) and the one I found works fine.
Probably solution with PermitRootLogin without-password directive would be better, I'll try to test it.

Thanks again for your suggestions.