Re: Working sshd_config to restrict root logins to designated hosts



Ref: <2579a74f-50c6-4ae9-8f30-f2779485d32a@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> de Nico
Kadel-Garcia
I'm trying to help a cohort restrict root access to SSH servers. He
feels the need for direct root logins, especially when the Kerberos
server goes toes up, and has some historical concerns about the use of
SSH keys for root logins. And he has fellow administrators who keep
installing SSH keys, for the root user, with no passwords on their
keys. He'd like to block this.

So the ideal setup would have these filters.

* root login is restricted to a specific set of hosts.
* SSH key access is blocked for root.


You can use "Match" sections in sshd_config to specify different settings
depending of incoming hosts and/or users

This should work (untested):
============= cut here=============
# Global Section
PermitRootLogin no
/../ other settings here
# Conditional Section(s)
# read man page for address syntax
Match address <list of allowed IP addresses>
PermitRootLogin yes
Match user root
PubkeyAuthentication false
============= cut here=============

Ref: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
--
Gilles
.