Re: Question restricting ssh access for some users only

• Previous message: Francisco: "Re: Question restricting ssh access for some users only"
• In reply to: Francisco: "Re: Question restricting ssh access for some users only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 21 Nov 2004 14:21:22 -0600
To: freebsd-security@freebsd.org

On 11/20/04 01:29:09 -0500, Francisco wrote:
> On Thu, 7 Oct 2004, Mark Ogden wrote:
>
> Coming.. way late to the discussion..
>
> >groups. We would like to allow root ssh login to our machines but only
> >from one or two machines.
>
> For starters I don't think it is a good idea to allow remote root logins
> There are several ways to do what you want.
> A few options
>
> If you only need the root users to login, set the firewall to only allow
> ssh from specific IPs. Set a user that can ssh and either configure sudo
> or allow user to su.
>
> >We like to have root login to be able to run
> >remote commands to all our machines.
>
> That sounds like something you could do with a regular user + sudo.
>
> >So is there a way to limit roots
> >login from one or two machines?
>
> Yet another approach, you can turn on to allow connections with keys
> only. No password authentication. Then enable root.. or better another ID
> which can su or sudo the commands you need.

Look at the 'AllowUsers' directive in sshd_config. You can use something to
the like of 'AllowUsers root@10.0.0.1 root@10.0.0.1 etc'. You can also use
wildcards in the fields.

-- 
Michael Nicks				     IOPort Technologies, LLC
nicksm@ioport.com			PGP/GNUPG key: 1024D/0F11CED3
1(913)-378-6516			    Keyfile available at pgp.mit.edu.
    (Fingerprint: 4F9A 25F8 5DC7 4BA0 6288  91E3 C7CD ADA4 0F11 CED3)
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Francisco: "Re: Question restricting ssh access for some users only"
• In reply to: Francisco: "Re: Question restricting ssh access for some users only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: BSM, SSH, and Session ID ... Are you logging in as root through ssh or is that just the way it is ... Sun SSH/OpenSSH should fork off before the login because the sshd ... It should always be a different session, ... (Focus-SUN) Re: Question restricting ssh access for some users only ... instance of sshd on any random port you choose, ... We would like to allow root ssh login to our machines but only ... (FreeBSD-Security) Re: telnet as root question ... >> make securetty tell telnet and SSH apart? ... >login program after opening the pts. ... >check securetty to know if root login is allowed. ... (comp.os.linux.security) Re: BSM, SSH, and Session ID ... I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, ... It should always be a different session, even if the user login is root. ... (Focus-SUN) RE: Login restrictions in NIS environment ... to ban root from logging in remotely except from certain IP addresses. ... but it does not allow root to login even from ... > stack is called by both login and ssh access. ... (RedHat)