AW: UsersDeny except root@myserver

• Previous message: James Hankins: "2nd attempt: OSX/SSH Authentication Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'secureshell@securityfocus.com'" <secureshell@securityfocus.com>
Date: Mon, 16 Feb 2004 12:24:38 +0100

Thank you for the replies.
The ordering doesn't seem to make any difference
(using Deny first then Allow same as Allow first then Deny)

We decided not to use Allow/Deny USers and just limt root
via the authorized_keys option from="server1"
and the PermitRootLogin: without-password

-----Ursprüngliche Nachricht-----
Von: John Tackman [mailto:john.tackman@hex.fi]
Gesendet: Montag, 16. Februar 2004 09:35
An: Miller Alan
Betreff: RE: UsersDeny except root@myserver

Usually rules are parsed in descending order, does it work if you do it
like this:

DenyUsers root@*
AllowUsers root@server1 root@server2

Remember you have to also set

PermitRootLogin yes

HTH,

-- 
John
> -----Original Message-----
> From: Miller Alan [mailto:Alan.Miller@is-energy.de] 
> Sent: Friday, February 13, 2004 1:29 PM
> To: 'secureshell@securityfocus.com'
> Subject: UsersDeny except root@myserver
> 
> Hallo,
> 
> Have I missed something in the config options to sshd?
> It appears to me that the following can't be done using the 
> existing configuration options.
> 
> I want to Allow all users from all hosts, but at the same 
> time deny all root users except root from 2 specific machines.
> 
> AllowUsers * root@server1 root@server2
> DenyUsers root@*
> 
> The ssh connection from root@server1 doesn't work, because 
> the matching Deny Rule overrides the Allow Rule.
> 
> Is there a way to do this?
> 
> --
> Alan Miller	
> is:energy  GmbH	
> Unit Operations, Operating Systems - OPOO 	
> Tresckowstrasse 3		
> 30457 Hannover		
> Telefon: (0511) 439-4292		Telefax: (0511) 439-4226	
> Email: alan.miller@is-energy.de	I-Net: <www.is-energy.de>
> 
> 
> 
This transmission is intended only for the individual or entity to which it is addressed. The message may contain information that is private and confidential. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any distribution, dissemination or copying of this message is strictly prohibited.
If you have received this message in error, please notify the sender immediately by returning the e-mail and delete the original message. Thank You. The content of this message is not given or endorsed by HEX.
HEX reserves the right to monitor all e-mail communications through its networks. The attachments have been scanned for viruses prior to leaving our e-mail server.
HEX shall not be liable for any consequences of any virus being passed on.

• Previous message: James Hankins: "2nd attempt: OSX/SSH Authentication Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]