Re: Negated patterns in AllowedUsers



Hi,

for root user is quite easy. Just put
PermitRootLogin No

in sshd_config

This only allow you to login thru local console

Christian

2007/9/2, Radek Hladik <radek@xxxxxxxxxx>:
Hi,
I am a little bit confused about patterns behavior when used in
AllowedUsers directive. I am trying to limit root logins to localhost.
First I tried
AllowedUsers root@localhost !root
which should enable root from localhost and all nonroot users from
anywhere. However the username part is matched with match_pattern
function and this function does not take ! into account (see func
match_user in match.c).
Secondly I tried
DenyUsers root@!localhost
which should deny root when logging from anywhere but localhost.
Function match_host_and_ip does call match_hostname which calls
match_pattern_list. But if match_hostname function returns -1 which
means "match found and negation was requested", match_host_and_ip return
false as there would be no match. As fact at least one _positive_ match
is required to return true:

/* negative ipaddr match */
if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
return 0;
/* negative hostname match */
if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
return 0;
/* no match at all */
if (mhost == 0 && mip == 0)
return 0;
return 1;

Is there any reason for such a behavior? And is there any other way how
to limit root to localhost in sshd? I know I can limit it i.e. via
pam_access but I would expect sshd to be able to do it.


Radek Hladik


P.S. Version of OpenSSH is openssh-4.5p1




Relevant Pages

  • Re: Negated patterns in AllowedUsers
    ... We have SSH keys stored on smart cards and we use them to login as root to our servers. ... I am trying to limit root logins to localhost. ...
    (SSH)
  • Re: How do you use the Xwindows interface as the root?
    ... that disabled root logins. ... You need to give the root user a password, disable the option in your login ... keep in mind it's not good to be logged in as root, as you have total access ...
    (alt.linux)
  • Re: FC4 and root login
    ... use root user I have the follow errore message: ... there's hardly ever a need to login as ... the root user in a graphical environment. ...
    (Fedora)
  • Re: debian linux
    ... > when i reboot and get the login screen, im not able to login as root user ... do it is to log in as myself, and then either launch a terminal and su to ...
    (comp.os.linux.misc)
  • SOLVED: root has less menus
    ... usermod -G admin root ... >> I've enabled root user for login to Gnome but why root has less menus ...
    (Ubuntu)