Re: remote ssh for root

From: Darren Tucker (dtucker_at_zip.com.au)
Date: 05/07/05

  • Next message: Chen Peng Lim: "Re: Binding ssh to a loopback address"
    Date: Sat, 07 May 2005 15:43:39 +1000
    To: daniel.engelsen@caremark.com
    
    

    daniel.engelsen@caremark.com wrote:
    > I would like to setup a trusted host that utilizes ssh; however, I do not
    > want root to be loginable. If I set PermitRootLogin to no, then the remote
    > ssh function stops as well. Does anyone know of a way to be able to do
    > remote ssh's as root without allowing root to be able to login?

    You can disable other root login methods (telnet, rsh) while still
    allowing ssh by setting root's rloing attribute to false (ie
    PermitRootLogin overrides root's rlogin attribute). This will work on
    OpenSSH 3.8x, not sure about 3.6x.

    If you're using public-key authentication you can put restrictions on
    the key (eg "no-pty" or "command="), see the sshd man page.

    There's not much point in trying to deny an interactive logins if you
    permit arbitary commands (consider the difference between "ssh
    remotehost" and "ssh remotehost /bin/sh -i" or "ssh -t remotehost
    /bin/sh -i").

    > I am using AIX versions 5.1, 5.2, and 5.3, and we are running ssh versions
    > 3.6 and 3.8.

    -- 
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
         Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.
    

  • Next message: Chen Peng Lim: "Re: Binding ssh to a loopback address"