Re: Working sshd_config to restrict root logins to designated hosts
- From: Gilles <nosuchuser@xxxxxxxxxxxxxxxx>
- Date: Sat, 04 Dec 2010 11:35:43 +0100
Ref: <2579a74f-50c6-4ae9-8f30-f2779485d32a@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> de Nico
Kadel-Garcia
I'm trying to help a cohort restrict root access to SSH servers. He
feels the need for direct root logins, especially when the Kerberos
server goes toes up, and has some historical concerns about the use of
SSH keys for root logins. And he has fellow administrators who keep
installing SSH keys, for the root user, with no passwords on their
keys. He'd like to block this.
So the ideal setup would have these filters.
* root login is restricted to a specific set of hosts.
* SSH key access is blocked for root.
You can use "Match" sections in sshd_config to specify different settings
depending of incoming hosts and/or users
This should work (untested):
============= cut here=============
# Global Section
PermitRootLogin no
/../ other settings here
# Conditional Section(s)
# read man page for address syntax
Match address <list of allowed IP addresses>
PermitRootLogin yes
Match user root
PubkeyAuthentication false
============= cut here=============
Ref: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
--
Gilles
.
- Follow-Ups:
- Re: Working sshd_config to restrict root logins to designated hosts
- From: Nico Kadel-Garcia
- Re: Working sshd_config to restrict root logins to designated hosts
- References:
- Working sshd_config to restrict root logins to designated hosts
- From: Nico Kadel-Garcia
- Working sshd_config to restrict root logins to designated hosts
- Prev by Date: Re: Working sshd_config to restrict root logins to designated hosts
- Next by Date: Re: Working sshd_config to restrict root logins to designated hosts
- Previous by thread: Re: Working sshd_config to restrict root logins to designated hosts
- Next by thread: Re: Working sshd_config to restrict root logins to designated hosts
- Index(es):
Relevant Pages
|
