Date: Thu, 7 Oct 2004 20:26:26 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Vlad GALU <vladgalu@gmail.com>, freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only Message-ID: <20041007192626.GB4174@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu> References: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com> <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--s/l3CgOIzMHHjg/5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Oct 07, 2004 at 12:34:00PM -0600, Mark Ogden wrote:
> Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote:
> > On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden@eng.utah.edu> wrot=
e:
> > > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote:
> > > > Hi Jim,
> > > >
> > > >
> > > But what if you have 1000 users? From my understanding you would have
> > > to add all users to the AllowUsers list.
> >=20
> > Or simply add all of them to one of the groups specified in "AllowG=
roups".
>=20
> Yes I do understand how that would work. Yet me better explain what we
> would like to do: We have over 9000 users and about 100 different
> groups. We would like to allow root ssh login to our machines but only
> from one or two machines. We like to have root login to be able to run
> remote commands to all our machines. So is there a way to limit roots
> login from one or two machines?
Before any one else leaps in, you're going to get a lot of advice
saying "don't allow people to ssh into the root account directly: make
them log in to their own accound, and then use su(1) or sudo(1).
That's good advice. However, to answer the question that was actually
asked:
Use the PermitRootLogin option in /etc/ssh/sshd_config to force the
people who are going to log in to use key based authentication:
PermitRootLogin without-password
Then issue each person that should be able to log into the root a/c on
the box their own public/private key pair -- ie. get them to run
ssh-keygen(1) -- each key should have a different passphrase usable
only by the person it's issued to.
Copy the public keys into /root/.ssh/authorized_keys on the target
machine. Edit that file to add the 'from=3D"pattern-list"' restriction
on use of that key -- see the section AUTHORIZED_KEYS FILE FORMAT in
sshd(8). Adding no-port-forwarding, no-X11-forwarding and/or
no-agent-forwarding as well is usually a good idea.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--s/l3CgOIzMHHjg/5
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBZZhiiD657aJF7eIRAtKmAJ9EmP+ZPQC3AOGxDAiPKhMahJ8HUACgiSts
DK1QWV4FQUcNC0IlwbTwCKM=
=QkKa
-----END PGP SIGNATURE-----
--s/l3CgOIzMHHjg/5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041007192626.GB4174>