Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Oct 2004 12:52:32 -0600
From:      Mark Ogden <ogden@eng.utah.edu>
To:        Mark Stanislav <KryptoBSD@uncompiled.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Question restricting ssh access for some users only
Message-ID:  <20041007185232.GA25539@yem.eng.utah.edu>
In-Reply-To: <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com>
References:  <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com> <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Mark Stanislav on Thu, Oct 07, 2004 at 02:39:35PM -0400 wrote:
> 
> On Oct 7, 2004, at 2:34 PM, Mark Ogden wrote:
> 
> >Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote:
> >>On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden@eng.utah.edu> 
> >>wrote:
> >>>Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote:
> >>>>Hi Jim,
> >>>>
> >>>>
> >>>But what if you have 1000 users? From my understanding you would have
> >>>to add all users to the AllowUsers list.
> >>
> 
> Why can't you just make a script to do that?
> 
> >>    Or simply add all of them to one of the groups specified in 
> >>"AllowGroups".
> >
> >Yes I do understand how that would work. Yet me better explain what we
> >would like to do: We have over 9000 users and about 100 different
> >groups. We would like to allow root ssh login to our machines but only
> >from one or two machines. We like to have root login to be able to run
> >remote commands to all our machines. So is there a way to limit roots
> >login from one or two machines?
> 
> Why not just let them use 'sudo' or better yet, just give them access 
> to become root after they login to their initial shell?

For us: 

1) 'sudo' is in afs so one whould have to get a token (by typing
    a password) first to be able to use sudo.

2) To use su without a password, again one would have to use their
   token gotten from afs. see #1. 

I guess we could investigate AFSTokenPassing via ssh.

-Mark

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041007185232.GA25539>