Is PermitRootLogin based on UID or user name?

I appreciate the approach of @mtak in the other answer, but the answer is obvious even without this trials.

It is based on the UID, as you can see in the source code of openssh:

if (authctxt->pw->pw_uid == 0 &&
            !auth_root_allowed(auth_method))
authenticated = 0;

Also every authentication method shows something like

if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
    ok = 0;

grep-ing further in the code, you may notice, there is no strcmp('root', pw->pw_name) or some alternative, if it will be enough for you.

It seems the check is done on UID (tested on OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016):

Set PermitRootLogin off:

mtak@pdv1:~$ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no

Make sure a user named admin is created with UID 0:

mtak@pdv1:~$ sudo grep admin /etc/passwd
admin:x:0:0:Root User:/root:/bin/bash

Make sure the user can be used to log on to the system:

mtak@pdv1:~$ su - admin
Password: 
root@pdv1:~#

Check if we can log on to the system using SSH:

mtak@rubiks:~$ ssh admin@pdv1
admin@pdv1's password: 
Permission denied, please try again.

If we turn PermitRootLogin on:

mtak@pdv1:~$ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes

And try to log on:

mtak@rubiks:~$ ssh admin@pdv1
admin@pdv1's password: 
Linux pdv1 4.4.8-1-pve #1 SMP Tue May 17 16:14:08 CEST 2016 x86_64
Last login: Wed Aug 24 12:05:28 2016 from xxx
root@pdv1:~#

Is PermitRootLogin based on UID or user name?

Tags:

Ssh

Openssh

Root

Related

Recent Posts