From owner-freebsd-security@FreeBSD.ORG  Sat Nov 20 18:26:03 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 977EE16A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 20 Nov 2004 18:26:03 +0000 (GMT)
Received: from mail1.acecape.com (mail1.acecape.com [66.114.74.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3367443D48
	for <freebsd-security@freebsd.org>;
	Sat, 20 Nov 2004 18:26:03 +0000 (GMT)
	(envelope-from francisco@natserv.net)
Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147])
	by mail1.acecape.com (8.12.11/8.12.11) with ESMTP id iAKIPuVL027009;
	Sat, 20 Nov 2004 13:25:58 -0500
Date: Sat, 20 Nov 2004 13:29:09 -0500 (EST)
From: Francisco <francisco@natserv.net>
X-X-Sender: fran@zoraida.natserv.net
To: Mark Ogden <ogden@eng.utah.edu>
In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu>
Message-ID: <20041120132543.L7533@zoraida.natserv.net>
References: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com>
	<20041007180630.GA25130@yem.eng.utah.edu>
	<20041007183400.GA25339@yem.eng.utah.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Mailman-Approved-At: Sun, 21 Nov 2004 14:42:09 +0000
cc: freebsd-security@freebsd.org
cc: Vlad GALU <vladgalu@gmail.com>
Subject: Re: Question restricting ssh access for some users only
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Nov 2004 18:26:03 -0000

On Thu, 7 Oct 2004, Mark Ogden wrote:

Coming.. way late to the discussion..

> groups. We would like to allow root ssh login to our machines but only
> from one or two machines.

For starters I don't think it is a good idea to allow remote root logins
There are several ways to do what you want.
A few options

If you only need the root users to login, set the firewall to only allow 
ssh from specific IPs. Set a user that can ssh and either configure sudo 
or allow user to su.

>We like to have root login to be able to run
>remote commands to all our machines.

That sounds like something you could do with a regular user + sudo.

> So is there a way to limit roots
> login from one or two machines?

Yet another approach, you can turn on  to allow connections with keys 
only. No password authentication. Then enable root.. or better another ID 
which can su or sudo the commands you need.