From owner-freebsd-security@FreeBSD.ORG Sun Nov 21 20:21:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1246D16A4CE for ; Sun, 21 Nov 2004 20:21:24 +0000 (GMT) Received: from mx01.dfw.tx.globalhop.net (kz1.globalhop.net [67.18.51.90]) by mx1.FreeBSD.org (Postfix) with SMTP id 5C5A843D5C for ; Sun, 21 Nov 2004 20:21:23 +0000 (GMT) (envelope-from nicksm@ioport.com) Received: (qmail 14995 invoked from network); 21 Nov 2004 14:21:22 -0600 Received: from cpe-65-30-122-68.kc.rr.com (HELO localhost) (65.30.122.68) by mx01.dfw.tx.globalhop.net with SMTP; 21 Nov 2004 14:21:22 -0600 Date: Sun, 21 Nov 2004 14:21:22 -0600 From: Michael Nicks To: freebsd-security@freebsd.org Message-ID: <11/21/04_02:03:27_-0600__nicksm@ioport.com> Mail-Followup-To: freebsd-security@freebsd.org References: <20041007180630.GA25130@yem.eng.utah.edu> <20041007183400.GA25339@yem.eng.utah.edu> <20041120132543.L7533@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041120132543.L7533@zoraida.natserv.net> User-Agent: Mutt/1.4.2.1i X-GPG-Key: gpg --recv-keys --keyserver pgp.mit.edu 0F11CED3 Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2004 20:21:24 -0000 On 11/20/04 01:29:09 -0500, Francisco wrote: > On Thu, 7 Oct 2004, Mark Ogden wrote: > > Coming.. way late to the discussion.. > > >groups. We would like to allow root ssh login to our machines but only > >from one or two machines. > > For starters I don't think it is a good idea to allow remote root logins > There are several ways to do what you want. > A few options > > If you only need the root users to login, set the firewall to only allow > ssh from specific IPs. Set a user that can ssh and either configure sudo > or allow user to su. > > >We like to have root login to be able to run > >remote commands to all our machines. > > That sounds like something you could do with a regular user + sudo. > > >So is there a way to limit roots > >login from one or two machines? > > Yet another approach, you can turn on to allow connections with keys > only. No password authentication. Then enable root.. or better another ID > which can su or sudo the commands you need. Look at the 'AllowUsers' directive in sshd_config. You can use something to the like of 'AllowUsers root@10.0.0.1 root@10.0.0.1 etc'. You can also use wildcards in the fields. -- Michael Nicks IOPort Technologies, LLC nicksm@ioport.com PGP/GNUPG key: 1024D/0F11CED3 1(913)-378-6516 Keyfile available at pgp.mit.edu. (Fingerprint: 4F9A 25F8 5DC7 4BA0 6288 91E3 C7CD ADA4 0F11 CED3)