I just installed Ubuntu 14.04 on my server and I was setting up all my config files when I came across this in my sshd_config
file:
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
This made me very worried. I thought that it was possible that someone could be logging into my server as root without a password.
I tried connecting to my server as root via:
johns-mbp:~ john$ ssh root@192.168.1.48
The authenticity of host '192.168.1.48 (192.168.1.48)' can't be established.
RSA key fingerprint is 40:7e:28:f1:a8:36:28:da:eb:6f:d2:d0:3f:4b:4b:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.48' (RSA) to the list of known hosts.
root@192.168.1.48's password:
I entered a blank password and it didn't let me in, which was a relief. So my question is: what does without password mean and why is this a default in Ubuntu 14.04?
Best Answer
From the manpage:
Thus
without-password
allows root login only with public key authentication. This is often used with shell scripts and automated tasks.