From owner-freebsd-security@FreeBSD.ORG  Thu Oct  7 19:26:34 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 496E816A4CE
	for <freebsd-security@freebsd.org>;
	Thu,  7 Oct 2004 19:26:34 +0000 (GMT)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 08ECE43D1F
	for <freebsd-security@freebsd.org>;
	Thu,  7 Oct 2004 19:26:33 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk
	(localhost.infracaninophile.co.uk [IPv6:::1])i97JQROG004655
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 7 Oct 2004 20:26:27 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)i97JQQAF004654;
	Thu, 7 Oct 2004 20:26:26 +0100 (BST)	(envelope-from matthew)
Date: Thu, 7 Oct 2004 20:26:26 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Vlad GALU <vladgalu@gmail.com>, freebsd-security@freebsd.org
Message-ID: <20041007192626.GB4174@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Vlad GALU <vladgalu@gmail.com>,
	freebsd-security@freebsd.org
References: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com>
	<20041007195417.430a8b5c@ariel.office.volker.de>
	<20041007180630.GA25130@yem.eng.utah.edu>
	<79722fad041007112227c3c241@mail.gmail.com>
	<20041007183400.GA25339@yem.eng.utah.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="s/l3CgOIzMHHjg/5"
Content-Disposition: inline
In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu>
User-Agent: Mutt/1.4.2.1i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6
	(smtp.infracaninophile.co.uk [IPv6:::1]); Thu, 07 Oct 2004 20:26:27 +0100
	(BST)
X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version
	0.75l	on smtp.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.64
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
Subject: Re: Question restricting ssh access for some users only
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2004 19:26:34 -0000


--s/l3CgOIzMHHjg/5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 07, 2004 at 12:34:00PM -0600, Mark Ogden wrote:
> Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote:
> > On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden@eng.utah.edu> wrot=
e:
> > > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote:
> > > > Hi Jim,
> > > >
> > > >
> > > But what if you have 1000 users? From my understanding you would have
> > > to add all users to the AllowUsers list.
> >=20
> >     Or simply add all of them to one of the groups specified in "AllowG=
roups".
>=20
> Yes I do understand how that would work. Yet me better explain what we
> would like to do: We have over 9000 users and about 100 different
> groups. We would like to allow root ssh login to our machines but only
> from one or two machines. We like to have root login to be able to run
> remote commands to all our machines. So is there a way to limit roots
> login from one or two machines?

Before any one else leaps in, you're going to get a lot of advice
saying "don't allow people to ssh into the root account directly: make
them log in to their own accound, and then use su(1) or sudo(1).
That's good advice.  However, to answer the question that was actually
asked:

Use the PermitRootLogin option in /etc/ssh/sshd_config to force the
people who are going to log in to use key based authentication:

    PermitRootLogin without-password

Then issue each person that should be able to log into the root a/c on
the box their own public/private key pair -- ie. get them to run
ssh-keygen(1) -- each key should have a different passphrase usable
only by the person it's issued to.

Copy the public keys into /root/.ssh/authorized_keys on the target
machine.  Edit that file to add the 'from=3D"pattern-list"' restriction
on use of that key -- see the section AUTHORIZED_KEYS FILE FORMAT in
sshd(8).  Adding no-port-forwarding, no-X11-forwarding and/or
no-agent-forwarding as well is usually a good idea.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--s/l3CgOIzMHHjg/5
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBZZhiiD657aJF7eIRAtKmAJ9EmP+ZPQC3AOGxDAiPKhMahJ8HUACgiSts
DK1QWV4FQUcNC0IlwbTwCKM=
=QkKa
-----END PGP SIGNATURE-----

--s/l3CgOIzMHHjg/5--