From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:51:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4803A16A4CE for ; Thu, 7 Oct 2004 18:51:31 +0000 (GMT) Received: from yem.eng.utah.edu (yem.eng.utah.edu [155.99.222.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B21A43D48 for ; Thu, 7 Oct 2004 18:51:31 +0000 (GMT) (envelope-from ogden@yem.eng.utah.edu) Received: from ogden by yem.eng.utah.edu with local (Exim 4.42 (FreeBSD)) id 1CFdNQ-0006el-Dx; Thu, 07 Oct 2004 12:52:32 -0600 Date: Thu, 7 Oct 2004 12:52:32 -0600 From: Mark Ogden To: Mark Stanislav Message-ID: <20041007185232.GA25539@yem.eng.utah.edu> Mail-Followup-To: Mark Stanislav , freebsd-security@freebsd.org References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> User-Agent: Mutt/1.5.5.1i Sender: Mark L Ogden cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:51:31 -0000 Mark Stanislav on Thu, Oct 07, 2004 at 02:39:35PM -0400 wrote: > > On Oct 7, 2004, at 2:34 PM, Mark Ogden wrote: > > >Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: > >>On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden > >>wrote: > >>>Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > >>>>Hi Jim, > >>>> > >>>> > >>>But what if you have 1000 users? From my understanding you would have > >>>to add all users to the AllowUsers list. > >> > > Why can't you just make a script to do that? > > >> Or simply add all of them to one of the groups specified in > >>"AllowGroups". > > > >Yes I do understand how that would work. Yet me better explain what we > >would like to do: We have over 9000 users and about 100 different > >groups. We would like to allow root ssh login to our machines but only > >from one or two machines. We like to have root login to be able to run > >remote commands to all our machines. So is there a way to limit roots > >login from one or two machines? > > Why not just let them use 'sudo' or better yet, just give them access > to become root after they login to their initial shell? For us: 1) 'sudo' is in afs so one whould have to get a token (by typing a password) first to be able to use sudo. 2) To use su without a password, again one would have to use their token gotten from afs. see #1. I guess we could investigate AFSTokenPassing via ssh. -Mark