On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
is, which is why ssh provides the option:
AllowRoot without-password
Why would I want to enable that?
Because it's more secure than the default of allowing root logins with password remotely. But forget it, it's not entirely ontopic, as I'd partially misread what you'd said.
That is a choice I got in PAM, sssd offers no choice.
Still, I don't see how the above somehow documents sssd's "no root login whatsoever" policy. The docs actually hints the opposite: filter_users, filter_groups (string) Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain. Default: root
This make me think I only have to add an empty filter_users to allow root
Sure, the documentation encouragages you to think you could disable it, and if that's not the case, it's a flaw in the documentation.
Maybe you've got a point that sssd should allow this unusual setup.
jh