From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:57:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0ABA16A4CF for ; Thu, 7 Oct 2004 18:57:56 +0000 (GMT) Received: from mailbox.wingercom.dk (mailbox.wingercom.dk [81.19.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54B3943D53 for ; Thu, 7 Oct 2004 18:57:56 +0000 (GMT) (envelope-from per@xterm.dk) Received: from mailbox.wingercom.dk (localhost.wingercom.dk [127.0.0.1]) by mailbox.wingercom.dk (Postfix) with SMTP id B078393175 for ; Thu, 7 Oct 2004 21:01:58 +0200 (CEST) Received: from 62.242.151.142 (SquirrelMail authenticated user per) by mailbox.wingercom.dk with HTTP; Thu, 7 Oct 2004 21:01:58 +0200 (CEST) Message-ID: <63056.62.242.151.142.1097175718.squirrel@mailbox.wingercom.dk> Date: Thu, 7 Oct 2004 21:01:58 +0200 (CEST) From: "Per Engelbrecht" To: In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu> References: <20041007183400.GA25339@yem.eng.utah.edu> X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:57:56 -0000 > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden >> wrote: >> > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 >> > wrote: >> > > Hi Jim, >> > > >> > > >> > But what if you have 1000 users? From my understanding you would >> > have to add all users to the AllowUsers list. >> >> Or simply add all of them to one of the groups specified in >> "AllowGroups". > > Yes I do understand how that would work. Yet me better explain what > we would like to do: We have over 9000 users and about 100 > different > groups. We would like to allow root ssh login to our machines but > only from one or two machines. We like to have root login to be > able to run remote commands to all our machines. So is there a way > to limit roots login from one or two machines? Hi Mark This is what I do: Disable root login via ssh entirely and set up 'sudo' and ssh-agents. You can make quite impressive sudo setups. Look at http://www.courtesan.com/sudo/ With this approach the root passwd are safe (both from ssh and from other admin/users) and you can exec any command on any server without the use of passwd if you use ssh-agents and every 'sudo' command is logged. You know who did this and that .. and when. Furthermore, add accounting on each server and add a central syslog(-ng) server (if not done allready) respectfully /per per@xterm.dk > > -Mark > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"