Re: remote ssh for root
From: Darren Tucker (dtucker_at_zip.com.au)
Date: 05/07/05
- Previous message: Darren Tucker: "Re: Binding ssh to a loopback address"
- In reply to: daniel.engelsen_at_caremark.com: "remote ssh for root"
- Next in thread: Mark Senior: "RE: remote ssh for root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 07 May 2005 15:43:39 +1000 To: daniel.engelsen@caremark.com
daniel.engelsen@caremark.com wrote:
> I would like to setup a trusted host that utilizes ssh; however, I do not
> want root to be loginable. If I set PermitRootLogin to no, then the remote
> ssh function stops as well. Does anyone know of a way to be able to do
> remote ssh's as root without allowing root to be able to login?
You can disable other root login methods (telnet, rsh) while still
allowing ssh by setting root's rloing attribute to false (ie
PermitRootLogin overrides root's rlogin attribute). This will work on
OpenSSH 3.8x, not sure about 3.6x.
If you're using public-key authentication you can put restrictions on
the key (eg "no-pty" or "command="), see the sshd man page.
There's not much point in trying to deny an interactive logins if you
permit arbitary commands (consider the difference between "ssh
remotehost" and "ssh remotehost /bin/sh -i" or "ssh -t remotehost
/bin/sh -i").
> I am using AIX versions 5.1, 5.2, and 5.3, and we are running ssh versions
> 3.6 and 3.8.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Previous message: Darren Tucker: "Re: Binding ssh to a loopback address"
- In reply to: daniel.engelsen_at_caremark.com: "remote ssh for root"
- Next in thread: Mark Senior: "RE: remote ssh for root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
