Re: Question restricting ssh access for some users only

From: Per Engelbrecht (per_at_xterm.dk)
Date: 10/07/04

  • Next message: Mark Johnston: "Re: Question restricting ssh access for some users only"
    Date: Thu, 7 Oct 2004 21:01:58 +0200 (CEST)
    To: <freebsd-security@freebsd.org>
    
    

    > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote:
    >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden@eng.utah.edu>
    >> wrote:
    >> > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200
    >> > wrote:
    >> > > Hi Jim,
    >> > >
    >> > >
    >> > But what if you have 1000 users? From my understanding you would
    >> > have to add all users to the AllowUsers list.
    >>
    >> Or simply add all of them to one of the groups specified in
    >> "AllowGroups".
    >
    > Yes I do understand how that would work. Yet me better explain what
    > we would like to do: We have over 9000 users and about 100
    > different
    > groups. We would like to allow root ssh login to our machines but
    > only from one or two machines. We like to have root login to be
    > able to run remote commands to all our machines. So is there a way
    > to limit roots login from one or two machines?

    Hi Mark
    This is what I do:
    Disable root login via ssh entirely and set up 'sudo' and ssh-agents.
    You can make quite impressive sudo setups. Look at
    http://www.courtesan.com/sudo/

    With this approach the root passwd are safe (both from ssh and from
    other admin/users) and you can exec any command on any server without
    the use of passwd if you use ssh-agents and every 'sudo' command is
    logged. You know who did this and that .. and when.
    Furthermore, add accounting on each server and add a central syslog(-ng)
    server (if not done allready)

    respectfully
    /per
    per@xterm.dk

    >
    > -Mark
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to
    > "freebsd-security-unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Mark Johnston: "Re: Question restricting ssh access for some users only"

    Relevant Pages

    • Re: Password file
      ... UID/GID for postfix user. ... So I don't know if postfix diddle the password files on ... you need to setup some kind of directory server (LDAP ... LEAST on more root login than the one you are using. ...
      (freebsd-isp)
    • SUMMARY: SSH & root logins
      ... Allow root login with authorized_keys: ... Allow user login with authorized_keys: ... Use sudo or equivalent: ... respondent allows user-level authorized_keys login only, ...
      (SunManagers)
    • how to build tamper-proof unix server?
      ... tamper-proof unix server. ... digitally signed, including root login ... All modifications to file system must be logged ...
      (comp.security.unix)
    • Re: Card Reader
      ... Can you disable root login, ... that's what sudo is for. ... administration and the second for specific tasks that require ... >viruses getting root on professionally-administered systems. ...
      (rec.photo.digital)
    • RE: ssh allowing root login with no password
      ... of our machines have to have root login ... access with ssh and the rest, we will login as another account and su ... PermitRootLogin without-password ... It still allows a root login without a password or key. ...
      (RedHat)