Date: Thu, 7 Oct 2004 21:01:58 +0200 (CEST) From: "Per Engelbrecht" <per@xterm.dk> To: <freebsd-security@freebsd.org> Subject: Re: Question restricting ssh access for some users only Message-ID: <63056.62.242.151.142.1097175718.squirrel@mailbox.wingercom.dk> In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu> References: <20041007183400.GA25339@yem.eng.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden@eng.utah.edu> >> wrote: >> > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 >> > wrote: >> > > Hi Jim, >> > > >> > > >> > But what if you have 1000 users? From my understanding you would >> > have to add all users to the AllowUsers list. >> >> Or simply add all of them to one of the groups specified in >> "AllowGroups". > > Yes I do understand how that would work. Yet me better explain what > we would like to do: We have over 9000 users and about 100 > different > groups. We would like to allow root ssh login to our machines but > only from one or two machines. We like to have root login to be > able to run remote commands to all our machines. So is there a way > to limit roots login from one or two machines? Hi Mark This is what I do: Disable root login via ssh entirely and set up 'sudo' and ssh-agents. You can make quite impressive sudo setups. Look at http://www.courtesan.com/sudo/ With this approach the root passwd are safe (both from ssh and from other admin/users) and you can exec any command on any server without the use of passwd if you use ssh-agents and every 'sudo' command is logged. You know who did this and that .. and when. Furthermore, add accounting on each server and add a central syslog(-ng) server (if not done allready) respectfully /per per@xterm.dk > > -Mark > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63056.62.242.151.142.1097175718.squirrel>