FreeIPA - ssh as root prompted for password

Question

I know the access via root won't work (client sshd_config and restricted account in FreeIPA). But is there a way to blacklist root either on the host or on FreeIPA so it's denied immediately rather than prompting for a password?

I'm wondering if I'm missing something... If not possible then I guess my next goal will be to log root attempts via FreeIPA and alert/report on them.

score 0 · Answer 1 · answered Jun 14 '21 at 22:36

0

You should be able to do something like this in sshd_config:

Match User root
  AuthenticationMethods publickey

Match User *
  AuthenticationMethods publickey,password

Possibly add an AuthorizedKeysFile /dev/null to the root config as well.

answered Jun 14 '21 at 22:36

Mark Wagner

18,019
2
32
47

can't you do `AuthenticationMethods none` – Jacob Evans Jun 14 '21 at 23:47
I don't think so: "none" (used for access to password-less accounts when PermitEmptyPasswords is enabled). – Mark Wagner Jun 15 '21 at 16:47
There's also `PermitRootLogin no` or `prohibit-password` – okapi Jan 06 '22 at 23:13

FreeIPA - ssh as root prompted for password

1 Answers1