This is interesting, but I'm still a little confused.
Still don't know exactly what you mean by
"...they don't stop a ssh -l root hostname."
Does it produce the hostname output
or does it ask for a password?
What behavior exactly are you looking for?
If you have SSH equivalence (shared keys) set up for 'root' between the two servers, then, of course, 'root' would not be queried for a password.
If you have *removed* equivalence, then it will stop and ask for a password.
Then, if the
PermitRootLogin without-password
is set, then the even correct password should fail.
Are you saying that it *accepts* the correct password and allows you to login (or run the command)?
As a side note, I don't see the point of the
PermitRootLogin without-password
(unless you have more than one root user, which I happen to have. see below.
)
If root's are equivalent, then login/command will SUCCEED without asking for pw.
If they are NOT equivalent, then pw will FAIL, so, in effect, root is denied.
How does that differ from
PermitRootLogin no
?
I have two servers "tetty", "kinky",
both with
sshd_config,v 1.59
& OpenSSH_3.6.1p2
.
I have *TWO* root users on each, 'root' and 'rb'.
(I do this to leave 'root' user totally alone.
My 'rb' login is id=0, but he has a different homedir and I can change .profile and other stuff without interfering with the default 'root' account.
)
Equivalence is set up for 'root' between "kinky" & "tetty".
Tetty changed to "without-password" :
tetty ## grep oot /etc/ssh/sshd_config
#PermitRootLogin yes
PermitRootLogin without-password
[root@kinky root]# id
uid=0(root) gid=0(root) ...
[root@kinky root]# ssh root@tetty hostname
tetty
[root@kinky root]# ssh rb@tetty hostname
rb@tetty's password: [correct password entered]
Permission denied, please try again.
bv
"The lyf so short, the craft so long to lerne." - Chaucer
