I have several servers running Debian Lenny.
Just recently I discovered the PermitRootLogin=forced-commands-only directive for ssh, which allows me to run a scripted rsync as root with an ssl key, without enabling more generalized root ssh access.
However, last week this stopped working - it appears on all of my servers - and I can't figure out why.
Everything continues to work fine with PermitRootLogin=yes, but I would prefer to block root logins - especially via passwords.
The day it stopped working, we reconfigured some of the ports on one of our switches (which we later reverted), but I can't see that affecting this, since it still works with PermitRootLogin set to yes.
How can I diagnose why the forced-commands-only directive has apparently stopped working?
"PermitRootLogin forced-commands-only" requires that all connections, via SSH as root, need to use public key authentication and that a command be associated with that key (like 'validate-rsync').
If you want to login as root but only with keys use:
To restrict rsync to a defined ssh-key you can specify in your authorized_keys:
And save this wrapper to: /usr/local/sbin/validate-rsync
There is a slightly more complicated script shipped with rsync to do the same, http://www.samba.org/ftp/unpacked/rsync/support/rrsync
If rsync can login as root, then anybody can: there's no difference for the server what's knocking at. I believe it was either experimental/hacky, or they just realized it's not more secure than 'yes'.
I'd suggest you disabling password auth for root (e.g. remove the password at all and use
sudowhen needed) and rely on key auth method.