Ubuntu – What does ‘without password’ mean in sshd_config file

opensshsshd

I just installed Ubuntu 14.04 on my server and I was setting up all my config files when I came across this in my sshd_config file:

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

This made me very worried. I thought that it was possible that someone could be logging into my server as root without a password.

I tried connecting to my server as root via:

johns-mbp:~ john$ ssh root@192.168.1.48
The authenticity of host '192.168.1.48 (192.168.1.48)' can't be established.
RSA key fingerprint is 40:7e:28:f1:a8:36:28:da:eb:6f:d2:d0:3f:4b:4b:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.48' (RSA) to the list of known hosts.
root@192.168.1.48's password:

I entered a blank password and it didn't let me in, which was a relief. So my question is: what does without password mean and why is this a default in Ubuntu 14.04?

Best Answer

From the manpage:

PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or "no”. The default is “yes”.

If this option is set to “without-password”, password authentication is disabled for root.

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to “no”, root is not allowed to log in.

Thus without-password allows root login only with public key authentication. This is often used with shell scripts and automated tasks.

Related Solutions

Ubuntu – 12.04 sshd_config file is empty, but the ssh_config is not empty

You can't have sshd running with a bad sshd_config. I don't know what's in that 20 byte sshd_config of yours, but it's broken. Probably best to just reinstall the default at this point.

I've recreated your problem here in a VM:

root@ubusrv:/etc/ssh# ps wwaux | grep ssh | grep -v grep
root    1277   0.0  1.1   49948   2812 ?       Ss  15:33  0:00 /usr/sbin/sshd -D
root@ubusrv:/etc/ssh# rm sshd_config ; /etc/init.d/ssh restart ; ps wwaux | grep ssh | grep -v grep
root@ubusrv:/etc/ssh#

As you can see, sshd did not restart when I removed sshd_config. Now, here's something interesting:

root@ubusrv:/etc/ssh# echo > sshd_config ; /etc/init.d/ssh start ; ps wwaux | grep ssh | grep -v grep
root    1364   0.0  1.1   49948   2804 ?       Ss  15:37  0:00 /usr/sbin/sshd -D

So, a completely blank sshd_config is sufficient to get it started. I DO NOT RECOMMEND THAT YOU DO THIS, HOWEVER. Instead, let's purge openssh-server and reinstall it, to restore the ORIGINAL, default sshd_config:

root@ubusrv:/etc/ssh# apt-get purge openssh-server ; apt-get install openssh-server
root@ubusrv:/etc/ssh# ps wwaux | grep ssh | grep -v grep
root    1762   0.0  1.1   49948   2820 ?       Ss  15:39  0:00 /usr/sbin/sshd -D
root@ubusrv:/etc/ssh# wc -l sshd_config
87 sshd_config

As you can see, we now have sshd running again, and with our default (87 lines long) sshd_config file.

In the future, I would recommend making backups of any config files you're experimenting with - cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.bak or similar. :)

Ubuntu – take changes in file sshd_config file without server reboot

Simply restart the sshd service:

sudo service sshd restart

or:

sudo /etc/init.d/sshd restart

Just in case you are restarting remotely, the configuration should be checked first to make sure it will not fail to start:

sudo sshd -t

Best Answer

PermitRootLogin

Related Solutions

Ubuntu – 12.04 sshd_config file is empty, but the ssh_config is not empty

Ubuntu – take changes in file sshd_config file without server reboot

Related Question