Date: Sun, 21 Nov 2004 14:21:22 -0600 From: Michael Nicks <nicksm@ioport.com> To: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only Message-ID: <11/21/04_02:03:27_-0600__nicksm@ioport.com> In-Reply-To: <20041120132543.L7533@zoraida.natserv.net> References: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com> <20041007180630.GA25130@yem.eng.utah.edu> <20041007183400.GA25339@yem.eng.utah.edu> <20041120132543.L7533@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/20/04 01:29:09 -0500, Francisco wrote:
> On Thu, 7 Oct 2004, Mark Ogden wrote:
>
> Coming.. way late to the discussion..
>
> >groups. We would like to allow root ssh login to our machines but only
> >from one or two machines.
>
> For starters I don't think it is a good idea to allow remote root logins
> There are several ways to do what you want.
> A few options
>
> If you only need the root users to login, set the firewall to only allow
> ssh from specific IPs. Set a user that can ssh and either configure sudo
> or allow user to su.
>
> >We like to have root login to be able to run
> >remote commands to all our machines.
>
> That sounds like something you could do with a regular user + sudo.
>
> >So is there a way to limit roots
> >login from one or two machines?
>
> Yet another approach, you can turn on to allow connections with keys
> only. No password authentication. Then enable root.. or better another ID
> which can su or sudo the commands you need.
Look at the 'AllowUsers' directive in sshd_config. You can use something to
the like of 'AllowUsers root@10.0.0.1 root@10.0.0.1 etc'. You can also use
wildcards in the fields.
--
Michael Nicks IOPort Technologies, LLC
nicksm@ioport.com PGP/GNUPG key: 1024D/0F11CED3
1(913)-378-6516 Keyfile available at pgp.mit.edu.
(Fingerprint: 4F9A 25F8 5DC7 4BA0 6288 91E3 C7CD ADA4 0F11 CED3)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11/21/04_02:03:27_-0600__nicksm>