# deny ssh root access

## tekknokrat

I just try to setup ssh to dissallow Root access and only allow access for special user groups. Only key authentication should be accepted apart of a rescue user.

The thing that bothers me is, that still the password request appears, although the password is not accepted:

 *Quote:*   

> 
> 
> $ ssh root@hostname
> 
> Password: 
> ...

 

In the same setup on ubuntu server (1:5.3p1-3ubuntu4) I get this message:

 *Quote:*   

> 
> 
> $ ssh root@hostname
> 
> Permission denied (publickey).
> ...

 

[I] net-misc/openssh

     Available versions:  5.2_p1-r3 5.3_p1-r1 ~5.4_p1-r2 ~5.5_p1-r1 {X X509 hpn kerberos ldap libedit pam pkcs11 selinux skey smartcard static tcpd}

     Installed versions:  5.3_p1-r1(02:14:55 06/10/10)(ldap pam -X -X509 -hpn -kerberos -libedit -pkcs11 -selinux -skey -smartcard -static -tcpd)

     Homepage:            http://www.openssh.org/

     Description:         Port of OpenBSD's free SSH release

profile:

default/linux/amd64/10.0/server

The sshd_config file:

```

ListenAddress xx.xx.xx.xx

Protocol 2

ServerKeyBits 2048

PermitRootLogin no

UsePAM yes

PrintMotd no

PrintLastLog no

Subsystem       sftp    /usr/lib64/misc/sftp-server

AllowGroups wheel

DenyUsers root

PasswordAuthentication no

Match User extadmin

        PasswordAuthentication yes

```

----------

## massimo

 *tekknokrat wrote:*   

> I just try to setup ssh to dissallow Root access and only allow access for special user groups. Only key authentication should be accepted apart of a rescue user.
> 
> The thing that bothers me is, that still the password request appears, although the password is not accepted:

 

UsePAM=yes could have an impact on this behaviour.

----------

## kimmie

I'd say it's due to PAM. From my sshd_config

```
# ...  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes
```

So set:

```
ChallengeResponseAuthentication no
```

and you should be right.

----------

## tekknokrat

```
So set:

Code:

ChallengeResponseAuthentication no
```

this worked and is disabled by default in ubuntu. Thx to both of you  :Smile: 

----------

