https://community.hpe.com/t5/server-management-systems/ssh-setup-without-root-access/m-p/4726200#M42666 Replying to my own thread. I have somewhat mitigated root access by creating a sim-specific user to use as a login account on the linux servers. Now at least root access can be turned off.<BR /><BR />BUT, this still required password-based authentication which I still want to disable.<BR /><BR />Getting closer, Chris. Tue, 14 Dec 2010 14:51:58 GMT Chris Mosentine 2010-12-14T14:51:58Z https://community.hpe.com/t5/server-management-systems/ssh-setup-without-root-access/m-p/4726199#M42665 I posted this question as part of another thread, but I think it deserves it's own thread.<BR /><BR />In configuring SIM access to my SUSE linux servers, I have had to open up ssh to allow root login via password, which I do not like to do, even on our network behind a good firewall.<BR /><BR />I can see possibly enabling root access for the initial setup, but what I don't understand is why root access in needed thereafter as certificate-based authentication should be working. Below is my ssh_config file.<BR /><BR />Can you point out what I may be doing wrong? Thanks, Chris.<BR /><BR /># The strategy used for options in the default sshd_config shipped with<BR /># OpenSSH is to specify options with their default value where<BR /># possible, but leave them commented. Uncommented options change a<BR /># default value.<BR /><BR />Port 22<BR />Protocol 2<BR />#AddressFamily any<BR />#ListenAddress 0.0.0.0<BR />#ListenAddress ::<BR /><BR /># HostKey for protocol version 1<BR />#HostKey /etc/ssh/ssh_host_key<BR /># HostKeys for protocol version 2<BR />HostKey /etc/ssh/ssh_host_rsa_key<BR />#HostKey /etc/ssh/ssh_host_dsa_key<BR /><BR /># Lifetime and size of ephemeral version 1 server key<BR />#KeyRegenerationInterval 1h<BR />#ServerKeyBits 768<BR /><BR /># Logging<BR /># obsoletes QuietMode and FascistLogging<BR />#SyslogFacility AUTH<BR />#LogLevel INFO<BR /><BR /># Authentication:<BR /><BR />#LoginGraceTime 2m<BR />PermitRootLogin yes<BR />#StrictModes yes<BR />#MaxAuthTries 6<BR /><BR />RSAAuthentication yes<BR />PubkeyAuthentication yes<BR />AuthorizedKeysFile .ssh/authorized_keys<BR /><BR /># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts<BR />#RhostsRSAAuthentication yes<BR /># similar for protocol version 2<BR />HostbasedAuthentication yes <BR /># Change to yes if you don't trust ~/.ssh/known_hosts for<BR />HostbasedAuthentication yes <BR />#IgnoreUserKnownHosts no<BR /># Don't read the user's ~/.rhosts and ~/.shosts files<BR />#IgnoreRhosts yes<BR /><BR /># To disable tunneled clear text passwords, change to no here!<BR />PasswordAuthentication yes<BR />PermitEmptyPasswords no<BR /><BR /># Change to no to disable s/key passwords<BR />#ChallengeResponseAuthentication yes<BR /><BR /># Kerberos options<BR />#KerberosAuthentication no<BR />#KerberosOrLocalPasswd yes<BR />#KerberosTicketCleanup yes<BR />#KerberosGetAFSToken no<BR /><BR /># GSSAPI options<BR />#GSSAPIAuthentication no<BR />#GSSAPICleanupCredentials yes<BR /><BR /># Set this to 'yes' to enable support for the deprecated 'gssapi' authentication<BR /># mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included<BR /># in this release. The use of 'gssapi' is deprecated due to the presence of <BR /># potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.<BR />#GSSAPIEnableMITMAttack no<BR /> <BR /><BR /># Set this to 'yes' to enable PAM authentication, account processing, <BR /># and session processing. If this is enabled, PAM authentication will <BR /># be allowed through the ChallengeResponseAuthentication mechanism. <BR /># Depending on your PAM configuration, this may bypass the setting of <BR /># PasswordAuthentication, PermitEmptyPasswords, and <BR /># "PermitRootLogin without-password". If you just want the PAM account and <BR /># session checks to run without PAM authentication, then enable this but set <BR /># ChallengeResponseAuthentication=no<BR />UsePAM yes<BR /><BR />#AllowTcpForwarding yes<BR />#GatewayPorts no<BR />X11Forwarding yes <BR />#X11DisplayOffset 10<BR />#X11UseLocalhost yes<BR />#PrintMotd yes<BR />#PrintLastLog yes<BR />#TCPKeepAlive yes<BR />#UseLogin no<BR />#UsePrivilegeSeparation yes<BR />#PermitUserEnvironment no<BR />#Compression delayed<BR />#ClientAliveInterval 0<BR />#ClientAliveCountMax 3<BR />#UseDNS yes<BR />#PidFile /var/run/sshd.pid<BR />#MaxStartups 10<BR /><BR /># no default banner path<BR />#Banner /some/path<BR /><BR /># override default of no subsystems<BR />Subsystem sftp /usr/lib64/ssh/sftp-server<BR /><BR /># This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).<BR />AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES <BR />AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT <BR />AcceptEnv LC_IDENTIFICATION LC_ALL<BR /> Tue, 14 Dec 2010 14:00:41 GMT https://community.hpe.com/t5/server-management-systems/ssh-setup-without-root-access/m-p/4726199#M42665 Chris Mosentine 2010-12-14T14:00:41Z https://community.hpe.com/t5/server-management-systems/ssh-setup-without-root-access/m-p/4726200#M42666 Replying to my own thread. I have somewhat mitigated root access by creating a sim-specific user to use as a login account on the linux servers. Now at least root access can be turned off.<BR /><BR />BUT, this still required password-based authentication which I still want to disable.<BR /><BR />Getting closer, Chris. Tue, 14 Dec 2010 14:51:58 GMT https://community.hpe.com/t5/server-management-systems/ssh-setup-without-root-access/m-p/4726200#M42666 Chris Mosentine 2010-12-14T14:51:58Z