One day (4 years ago), I rebooted my server. After the reboot was complete, I tried to login as usual with my regular (non-root) account. At that time, I had
I got the answer
The system is going down on Sun Aug 16 00:43:48 2009
and couldn’t login. But it was not true, the server was not going to shutdown. It had shut down, but it was already up. Actually, I noticed that for some mysterious reason, the
/etc/nologin file, created by
shutdown hadn’t be deleted.
/etc/nologin file exists, SSH doesn’t allow any user to login, except root.
PermitRootLogin was set to « no », I couldn’t login and was forced to hard reboot my server in rescue mode, mount the file system, delete the
/etc/nologin file, and reboot.
So, what do you think about letting
PermitRootLogin set to « yes », but disable its password (
passwd -l root), so that only SSH-key connection is allowed for root?
sshd already supports the scenario you want:
This permits root to use any authentication method except password.
For a single-sysadmin scenario this is fine. Though, as has been discussed ad nauseam here and elsewhere, if you have multiple sysadmins, none of them should be logging in as root.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.