Re: Question restricting ssh access for some users only
From: Per Engelbrecht (per_at_xterm.dk)
Date: Thu, 7 Oct 2004 21:01:58 +0200 (CEST) To: <email@example.com>
> Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote:
>> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <firstname.lastname@example.org>
>> > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200
>> > wrote:
>> > > Hi Jim,
>> > >
>> > >
>> > But what if you have 1000 users? From my understanding you would
>> > have to add all users to the AllowUsers list.
>> Or simply add all of them to one of the groups specified in
> Yes I do understand how that would work. Yet me better explain what
> we would like to do: We have over 9000 users and about 100
> groups. We would like to allow root ssh login to our machines but
> only from one or two machines. We like to have root login to be
> able to run remote commands to all our machines. So is there a way
> to limit roots login from one or two machines?
This is what I do:
Disable root login via ssh entirely and set up 'sudo' and ssh-agents.
You can make quite impressive sudo setups. Look at
With this approach the root passwd are safe (both from ssh and from
other admin/users) and you can exec any command on any server without
the use of passwd if you use ssh-agents and every 'sudo' command is
logged. You know who did this and that .. and when.
Furthermore, add accounting on each server and add a central syslog(-ng)
server (if not done allready)
> email@example.com mailing list
> To unsubscribe, send any mail to
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"