Bug 167531

Summary: sshd_config option 'PermitRootLogin' ' forced-commands-only' does not work
Product: Red Hat Enterprise Linux 4 Reporter: greg hosler <greg>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-05 08:42:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description greg hosler 2005-09-04 11:23:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.3.1

Description of problem:
When sshd option 'PermitRootLogin' is set to 'forced-commands-only', forced commands to the root account do not work. The client is prompted for password (even though there is a valid key), and then denied access.

Oddly enough, When 'PermitRootLogin' is set to 'without-password', root is allowed in.

Version-Release number of selected component (if applicable):
openssh-3.9p1

How reproducible:
Always

Steps to Reproduce:
1. On server, edit /etc/ssh/sshd_config. Set 'PermitRootLogin' to 'forced-commands-only'
2. service sshd restart
3. install a public key to root's .ssh/authorized_keys file
4. go to a remote client and issue the command:
    ssh root@<server hostname> id

  

Actual Results:  you are propted for root's password, 3 times, and then denied access.

Expected Results:  ssh should log in, issue the 'id' command, and then log out.


Additional info:

This has been broken for several releases. I believe that this used to work in RHL9. It did not work in RHEL3, and does not work in RHEL4

Comment 1 Tomas Mraz 2005-09-05 08:42:49 UTC
This is misunderstanding of the forced-commands-only option.

Please read man sshd the section AUTHORIZED KEYS FILE FORMAT.