Is PermitRootLogin without-password a secure method? [duplicate]

I have read a lot of documentation on disabling root user login via ssh for security reasons. I have set in /etc/ssh/sshd_config

PermitRootLogin no

If I disable root login then boot need to assume user name and password also.

If I set

PermitRootLogin without-password

Then it is secure to do this. If I use my sshkey is it secure? Please explain.

8

1 Answer

From the man page man sshd

PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, without-password, forced-commands-only, or no. The default is prohibit-password.

If this option is set to prohibit-password or without-password, password and keyboard-interactive authentication are disabled for root.

If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

So, "without-password" allows root to log in via any method EXCEPT password authentication. This can include ssh keys and kerberos.

IMO this is a secure option.

See also What does 'without password' mean in sshd_config file?

2