RE: restricting originating IP per user
From: Kim, Anthony (anthony.kim@vw.com)
Date: 12/13/02
- Previous message: jason@corekin.no-ip.com: "Limiting access to only those who have my certificate"
- Maybe in reply to: Robert: "restricting originating IP per user"
- Next in thread: Attica: "Re: restricting originating IP per user"
- Reply: Attica: "Re: restricting originating IP per user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kim, Anthony" <anthony.kim@vw.com> To: 'Attica' <attica@stackheap.org> Date: Fri, 13 Dec 2002 09:14:54 -0600
From sshd_config(5)
PermitRootLogin
Specifies whether root can login using ssh(1). The argument must
be ``yes'', ``without-password'', ``forced-commands-only'' or
``no''. The default is ``yes''.
If this option is set to ``without-password'' password authenti
cation is disabled for root.
If this option is set to ``forced-commands-only'' root login with
public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
remote backups even if root login is normally not allowed). All
other authentication methods are disabled for root.
If this option is set to ``no'' root is not allowed to login.
HTH,
Anthony
-----Original Message-----
From: Attica [mailto:attica@stackheap.org]
Sent: Thursday, December 12, 2002 3:04 PM
To: Kim, Anthony
Cc: secureshell@securityfocus.com
Subject: RE: restricting originating IP per user
On Wed, 4 Dec 2002, Kim, Anthony wrote:
> Actually, this works for me (OpenSSH-3.4p1)
> from="10.10.100.5,192.168.*,127.*" ssh-rsa AAAA[rest of key]
This is very cool and I'm now using this. However, while this does
restrict which key a user can use for password-less authentication, the
password itself can be brute forced right?
For example, let's say I need to have a particular IP scp as root for a
nightly backup (BackupPC to be specific). It can't have a passphrase,
which is fine, but I do need to make "PermitRootLogin yes" in my
sshd_config file. Now can't people try to brute force root's password?
I'm betting there's a way to specify that root cannot log in via password
(i.e. only public-key) without affecting mere mortal accounts, but I don't
know how to do it offhand...
Attica
***********************************************************************
DISCLAIMER: The information transmitted may contain confidential material
and is intended only for the person or entity to which it is addressed. Any
review, retransmission, dissemination or other use of or taking of any
action by persons or entities other than the intended recipient is
prohibited. If you are not the intended recipient, please delete the
information from your system and contact the sender.
***********************************************************************
- Next message: Attica: "Re: restricting originating IP per user"
- Previous message: jason@corekin.no-ip.com: "Limiting access to only those who have my certificate"
- Maybe in reply to: Robert: "restricting originating IP per user"
- Next in thread: Attica: "Re: restricting originating IP per user"
- Reply: Attica: "Re: restricting originating IP per user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
