From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:40:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5004616A4CE for ; Thu, 7 Oct 2004 18:40:12 +0000 (GMT) Received: from mail.emich.edu (mail.emich.edu [164.76.2.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 117F543D31 for ; Thu, 7 Oct 2004 18:40:10 +0000 (GMT) (envelope-from KryptoBSD@uncompiled.com) Received: from [164.76.176.208] (ip-176-208.resnet.emich.edu [164.76.176.208]) by mail.emich.edu (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTPA id <0I58004OU95Z0P@mail.emich.edu> for freebsd-security@freebsd.org; Thu, 07 Oct 2004 14:39:35 -0400 (EDT) Date: Thu, 07 Oct 2004 14:39:35 -0400 From: Mark Stanislav In-reply-to: <20041007183400.GA25339@yem.eng.utah.edu> To: Mark Ogden Message-id: <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> MIME-version: 1.0 X-Mailer: Apple Mail (2.619) Content-type: text/plain; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:40:12 -0000 On Oct 7, 2004, at 2:34 PM, Mark Ogden wrote: > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden >> wrote: >>> Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: >>>> Hi Jim, >>>> >>>> >>> But what if you have 1000 users? From my understanding you would have >>> to add all users to the AllowUsers list. >> Why can't you just make a script to do that? >> Or simply add all of them to one of the groups specified in >> "AllowGroups". > > Yes I do understand how that would work. Yet me better explain what we > would like to do: We have over 9000 users and about 100 different > groups. We would like to allow root ssh login to our machines but only > from one or two machines. We like to have root login to be able to run > remote commands to all our machines. So is there a way to limit roots > login from one or two machines? Why not just let them use 'sudo' or better yet, just give them access to become root after they login to their initial shell? -Mark > > -Mark > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"