[CentOS] ssh prompting for password

Gordon Messmer yinyang at eburg.com
Thu Nov 18 01:40:21 EST 2010


On 11/16/2010 06:19 PM, Kwan Lowe wrote:
> On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris<lists at spuddy.org>  wrote:
>> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
>> normally the default) means that phase is run as the destination user
>> and not as root.
>
> To clarify, the sshd listener runs as root and then drops privileges
> once the user is authenticated..  The issue is specifically the root
> squash across NFS filesystems which is normally set to disable root
> privs on the mount (that, and noexec).  I.e., even root has no privs
> to validate the shared key.

You are both incorrect.  Key authentication *always* takes place as the 
user requesting login, regardless of the UsePrivilegeSeparation option.

When using UsePrivilegeSeparation, sshd creates a separate process to 
handle the crypto and compression bits (primarily) of incoming traffic, 
in order to prevent privilege escalation.  That option does not affect 
most authentication types (it is documented to interact with UseLogin, 
which is off by default).

I'm not aware of any configuration where root_squash will prevent users 
from authenticating with keys.


More information about the CentOS mailing list