71

I have some doubts about certain ssh server configurations on /etc/ssh/sshd_config. I want the next behavior:

  1. Public key authentication is the only way to authenticate as root (no password authentication or other)
  2. Normal users can use both (password and public key authentication)

If I set PasswordAuthentication no my first point is satisfied but not the second. There is a way to set PasswordAuthentication no only for root?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
mavillan
  • 3,067
  • 4
  • 22
  • 27

3 Answers3

109

You can do this using the PermitRootLogin directive. From the sshd_config manpage:

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”.

If this option is set to “without-password”, password authentication is disabled for root.

The following will accomplish what you want:

PasswordAuthentication yes
PermitRootLogin prohibit-password

From OpenSSH 7.0 changelog

PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without-password'.

Then reload your ssh server:

systemctl reload sshd

As usual, don't close your active terminal until you verified, from another terminal, that everything works and that you are not locked out by a mistake.

Valerio Bozz
  • 359
  • 2
  • 15
jordanm
  • 41,988
  • 9
  • 116
  • 113
  • 1
    I tried this on Debian and verified with `service ssh restart` on the server and then on the client I tried connecting without my key with `ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@host` and indeed could not login with password but could with key for the root user. – bastian Jul 18 '16 at 10:08
  • 1
    Yeah but if you just do this instead, then you can login with the password: `ssh -o PreferredAuthentications=password root@host` not particularly secure imho – geoidesic Apr 30 '18 at 20:12
  • 10
    In 2019 it is "PermitRootLogin prohibit-password", the old without-password is a deprecated alias. – vbraun Apr 08 '19 at 08:55
  • In a fresh CentOS 7 from my hosting provider I have *OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013*, and sshd fails with "unsupported option "prohibit-password"". Need to use the deprecated *without-password*. – Yaroslav Nikitenko Aug 23 '20 at 17:27
13

You can use Match blocks to configure some options per user or group authenticating or per IP address or host name of the origin of the connection.

PasswordAuthentication yes
PermitRootLogin yes

Match User root
PasswordAuthentication no

Then reload your ssh server:

systemctl reload sshd

As usual, don't close your active terminal until you verified, from another terminal, that everything works and that you are not locked out by a mistake.

Valerio Bozz
  • 359
  • 2
  • 15
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • 2
    This seems the best method if you never want the password prompt to appear for root. – Leo Apr 16 '16 at 00:58
8

I have an even more restrictive approach to grant root privileges on my server, which might be interesting for the paranoid ones like me. Be careful what you do and in which order, otherwise you might end up with a system you can't get root access on.

  • Create a specific group sugroup, whos members will be allowed to become root and only allow key authentication for this group by putting the following lines at the end of sshd_confid:

Match Group sugroup

PasswordAuthentication no

  • Place the command auth required pam_wheel.so group=sugroup in /etc/pam.d/su. It might be already there and you just have to uncomment it. This denies root access to all users not member of sugroup
  • Choose a strong root password :)
  • Check whether your new authentication method works, and only if:
  • Deny direct root login via ssh by using PermitRootLogin no in /etc/ssh/sshd_config.

Using this configuration it is necessary to use a key authentication and a password to become root. I configured my server like this, since I prefer having no direct root access via ssh, regardless of the authentication method.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
staxyz
  • 609
  • 6
  • 15