Home / ubuntu / Questions / 449364
Accepted
John
Asked: 2014-04-18 17:12:55 +0800 CST

What does 'without password' mean in sshd_config file?

  • 772

I just installed Ubuntu 14.04 on my server and I was setting up all my config files when I came across this in my sshd_config file:

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

This made me very worried. I thought that it was possible that someone could be logging into my server as root without a password.

I tried connecting to my server as root via:

johns-mbp:~ john$ ssh [email protected]
The authenticity of host '192.168.1.48 (192.168.1.48)' can't be established.
RSA key fingerprint is 40:7e:28:f1:a8:36:28:da:eb:6f:d2:d0:3f:4b:4b:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.48' (RSA) to the list of known hosts.
[email protected]'s password:

I entered a blank password and it didn't let me in, which was a relief. So my question is: what does without password mean and why is this a default in Ubuntu 14.04?

openssh

4 Answers

  1. Best Answer

    From the man page:

    PermitRootLogin

    Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or "no”. The default is “yes”.

    If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root.

    If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

    If this option is set to “no”, root is not allowed to log in.

    Thus, prohibit-password allows root login only with public key authentication. This is often used with shell scripts and automated tasks.

    • 166

  2. Actually this setting does pretty much nothing if you are using PAM authentication. At the bottom of the sshd_config configuration file you will find:

    # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

    The default setting on Ubuntu is to use PAM authentication:

    UsePAM yes
    • 18

  3. In newer versions of sshd (OpenSSH 7.0 and above, released on 2015-08-11) "without-password" has been changed to "prohibit-password".

    Both version work, probably best to use "prohibit-password" if you can: it explains itself better.

    Source:

    • sshd_config(5): PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without-password'.
    • 7

  4. Note that there are legitimate reasons for logging in via root (but using cryptographic keys and never a password). A typical example is remotely syncing two servers (to have one of them being used as fail-over). Because the structure must be identical, often a root password is required.

    Here is an example using unison for the synchronisation.

    • 4