Re: remote ssh for root

From: Darren Tucker (dtucker_at_zip.com.au)
Date: 05/07/05

  • Next message: Chen Peng Lim: "Re: Binding ssh to a loopback address"
    Date: Sat, 07 May 2005 15:43:39 +1000
    To: daniel.engelsen@caremark.com
    
    

    daniel.engelsen@caremark.com wrote:
    > I would like to setup a trusted host that utilizes ssh; however, I do not
    > want root to be loginable. If I set PermitRootLogin to no, then the remote
    > ssh function stops as well. Does anyone know of a way to be able to do
    > remote ssh's as root without allowing root to be able to login?

    You can disable other root login methods (telnet, rsh) while still
    allowing ssh by setting root's rloing attribute to false (ie
    PermitRootLogin overrides root's rlogin attribute). This will work on
    OpenSSH 3.8x, not sure about 3.6x.

    If you're using public-key authentication you can put restrictions on
    the key (eg "no-pty" or "command="), see the sshd man page.

    There's not much point in trying to deny an interactive logins if you
    permit arbitary commands (consider the difference between "ssh
    remotehost" and "ssh remotehost /bin/sh -i" or "ssh -t remotehost
    /bin/sh -i").

    > I am using AIX versions 5.1, 5.2, and 5.3, and we are running ssh versions
    > 3.6 and 3.8.

    -- 
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
         Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.
    

  • Next message: Chen Peng Lim: "Re: Binding ssh to a loopback address"

    Relevant Pages

    • Re: BSM, SSH, and Session ID
      ... Are you logging in as root through ssh or is that just the way it is ... Sun SSH/OpenSSH should fork off before the login because the sshd ... It should always be a different session, ...
      (Focus-SUN)
    • Re: telnet as root question
      ... >> make securetty tell telnet and SSH apart? ... >login program after opening the pts. ... >check securetty to know if root login is allowed. ...
      (comp.os.linux.security)
    • Re: BSM, SSH, and Session ID
      ... I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, ... It should always be a different session, even if the user login is root. ...
      (Focus-SUN)
    • RE: Login restrictions in NIS environment
      ... to ban root from logging in remotely except from certain IP addresses. ... but it does not allow root to login even from ... > stack is called by both login and ssh access. ...
      (RedHat)
    • Re: ssh to remote machine with user login problem
      ... > machine.When i login as root ssh to remote machoine will work without ... You need to copy the 'authorized_keys' file from the ssh directory of the root ...
      (Debian-User)