81

I have some doubts about certain ssh server configurations on /etc/ssh/sshd_config. I want the next behavior:

  1. Public key authentication is the only way to authenticate as root (no password authentication or other)
  2. Normal users can use both (password and public key authentication)

If I set PasswordAuthentication no my first point is satisfied but not the second. There is a way to set PasswordAuthentication no only for root?

Improve this question

5 Answers 5

Reset to default
125

You can do this using the PermitRootLogin directive. From the sshd_config manpage:

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”.

If this option is set to “without-password”, password authentication is disabled for root.

The following will accomplish what you want:

PasswordAuthentication yes
PermitRootLogin prohibit-password

From OpenSSH 7.0 changelog

PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without-password'.

Then reload your ssh server:

systemctl reload sshd

As usual, don't close your active terminal until you verified, from another terminal, that everything works and that you are not locked out by a mistake.

Improve this answer
4
  • 1
    I tried this on Debian and verified with service ssh restart on the server and then on the client I tried connecting without my key with ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@host and indeed could not login with password but could with key for the root user. Commented Jul 18, 2016 at 10:08
  • 1
    Yeah but if you just do this instead, then you can login with the password: ssh -o PreferredAuthentications=password root@host not particularly secure imho Commented Apr 30, 2018 at 20:12
  • 11
    In 2019 it is "PermitRootLogin prohibit-password", the old without-password is a deprecated alias. Commented Apr 8, 2019 at 8:55
  • In a fresh CentOS 7 from my hosting provider I have OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013, and sshd fails with "unsupported option "prohibit-password"". Need to use the deprecated without-password. Commented Aug 23, 2020 at 17:27
17

You can use Match blocks to configure some options per user or group authenticating or per IP address or host name of the origin of the connection.

PasswordAuthentication yes
PermitRootLogin yes

Match User root
PasswordAuthentication no

Then reload your ssh server:

systemctl reload sshd

As usual, don't close your active terminal until you verified, from another terminal, that everything works and that you are not locked out by a mistake.

Improve this answer
2
  • 2
    This seems the best method if you never want the password prompt to appear for root. Commented Apr 16, 2016 at 0:58
  • great! so elegant, works fine on Ubuntu 22. Even the restart hint not missing, appreciate it! eventually root access w/o password for ssh; could mention prerequisite root submits a key to the remote machine; next challenge: SSHFS; yes, this way root access by sshfs is possible (no -o allow_root !) and security looks acceptable. Thanks, great work! Commented Mar 10, 2024 at 11:57
10

I have an even more restrictive approach to grant root privileges on my server, which might be interesting for the paranoid ones like me. Be careful what you do and in which order, otherwise you might end up with a system you can't get root access on.

  • Create a specific group sugroup, whos members will be allowed to become root and only allow key authentication for this group by putting the following lines at the end of sshd_confid:

Match Group sugroup

PasswordAuthentication no

  • Place the command auth required pam_wheel.so group=sugroup in /etc/pam.d/su. It might be already there and you just have to uncomment it. This denies root access to all users not member of sugroup
  • Choose a strong root password :)
  • Check whether your new authentication method works, and only if:
  • Deny direct root login via ssh by using PermitRootLogin no in /etc/ssh/sshd_config.

Using this configuration it is necessary to use a key authentication and a password to become root. I configured my server like this, since I prefer having no direct root access via ssh, regardless of the authentication method.

Improve this answer
2

Beware, that current Debian (12 and 11) and possibly other systems, which incorporate config file plugin system, having config for sshd like this in sshd_config:

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

...
PermitRootLogin yes
...

and custom config in /etc/ssh/sshd_config.d/my.conf

PermitRootLogin prohibit-password

Will result in allowed password, since sshd_config will override setting. Tested, thus warning.

Special note on this, because some systems, e.g. Proxmox will write down value explicitly in sshd_config file, and if you are managing custom configs with configuration management tool like Ansible, it will be false positive configuration.

Improve this answer
0

If you set PermitRootLogin no

You can't use a [root] username to login a server via any type of auth (ssh keys/password)

Improve this answer
1
  • Incorrect. Rocky 9 allows login when there is a key in /root/.ssh/authorized_keys. Commented Jun 23 at 17:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.