Date: Thu, 7 Oct 2004 20:26:26 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Vlad GALU <vladgalu@gmail.com>, freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only Message-ID: <20041007192626.GB4174@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu> References: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com> <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 07, 2004 at 12:34:00PM -0600, Mark Ogden wrote: > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: > > On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden@eng.utah.edu> wrot= e: > > > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > > > > Hi Jim, > > > > > > > > > > > But what if you have 1000 users? From my understanding you would have > > > to add all users to the AllowUsers list. > >=20 > > Or simply add all of them to one of the groups specified in "AllowG= roups". >=20 > Yes I do understand how that would work. Yet me better explain what we > would like to do: We have over 9000 users and about 100 different > groups. We would like to allow root ssh login to our machines but only > from one or two machines. We like to have root login to be able to run > remote commands to all our machines. So is there a way to limit roots > login from one or two machines? Before any one else leaps in, you're going to get a lot of advice saying "don't allow people to ssh into the root account directly: make them log in to their own accound, and then use su(1) or sudo(1). That's good advice. However, to answer the question that was actually asked: Use the PermitRootLogin option in /etc/ssh/sshd_config to force the people who are going to log in to use key based authentication: PermitRootLogin without-password Then issue each person that should be able to log into the root a/c on the box their own public/private key pair -- ie. get them to run ssh-keygen(1) -- each key should have a different passphrase usable only by the person it's issued to. Copy the public keys into /root/.ssh/authorized_keys on the target machine. Edit that file to add the 'from=3D"pattern-list"' restriction on use of that key -- see the section AUTHORIZED_KEYS FILE FORMAT in sshd(8). Adding no-port-forwarding, no-X11-forwarding and/or no-agent-forwarding as well is usually a good idea. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBZZhiiD657aJF7eIRAtKmAJ9EmP+ZPQC3AOGxDAiPKhMahJ8HUACgiSts DK1QWV4FQUcNC0IlwbTwCKM= =QkKa -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041007192626.GB4174>