From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:51:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04DB516A4CE for ; Thu, 7 Oct 2004 18:51:04 +0000 (GMT) Received: from web.lomag.net (web.lomag.net [208.185.81.14]) by mx1.FreeBSD.org (Postfix) with SMTP id 7EAEE43D31 for ; Thu, 7 Oct 2004 18:51:03 +0000 (GMT) (envelope-from mark@lomag.net) Received: (qmail 30672 invoked by uid 98); 7 Oct 2004 18:51:02 -0000 Received: from mark@lomag.net by web.lomag.net by uid 82 with qmail-scanner-1.20st (clamuko: 0.67. spamassassin: 2.63. Clear:RC:1(67.85.42.99):. Processed in 0.047689 secs); 07 Oct 2004 18:51:02 -0000 Received: from ws01.lomag.net (HELO ws01) (67.85.42.99) by 0 with SMTP; 7 Oct 2004 18:51:02 -0000 Message-ID: <080b01c4ac9e$90584250$0a13a8c0@lomag.net> From: "Mark Skurzynski" To: References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> Date: Thu, 7 Oct 2004 14:50:49 -0400 Organization: Lomag Internet Services, LLC MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:51:04 -0000 Hi Fellow Marks, I normally don't reply here however the simple solution is to run a 2nd instance of sshd on any random port you choose, ie. "sshd -f /etc/ssh/sshd_config_private" or whatever you choose. You could then easily firewall that port and only allow specific IP's to connnect. Thanks, Mark -- **************************************************** Mark Skurzynski * Lomag Internet Services, LLC mark@lomag.net * http://www.lomag.net Edison, NJ USA * 908-754-2296 **************************************************** ----- Original Message ----- From: "Mark Stanislav" To: "Mark Ogden" Cc: Sent: Thursday, October 07, 2004 2:39 PM Subject: Re: Question restricting ssh access for some users only > > On Oct 7, 2004, at 2:34 PM, Mark Ogden wrote: > > > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: > >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden > >> wrote: > >>> Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > >>>> Hi Jim, > >>>> > >>>> > >>> But what if you have 1000 users? From my understanding you would have > >>> to add all users to the AllowUsers list. > >> > > Why can't you just make a script to do that? > > >> Or simply add all of them to one of the groups specified in > >> "AllowGroups". > > > > Yes I do understand how that would work. Yet me better explain what we > > would like to do: We have over 9000 users and about 100 different > > groups. We would like to allow root ssh login to our machines but only > > from one or two machines. We like to have root login to be able to run > > remote commands to all our machines. So is there a way to limit roots > > login from one or two machines? > > Why not just let them use 'sudo' or better yet, just give them access > to become root after they login to their initial shell? > > -Mark > > > > > -Mark > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >