Question restricting ssh access for some users only

Per Engelbrecht per at xterm.dk
Thu Oct 7 11:57:56 PDT 2004


> Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote:
>> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden at eng.utah.edu>
>> wrote:
>> > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200
>> > wrote:
>> > > Hi Jim,
>> > >
>> > >
>> > But what if you have 1000 users? From my understanding you would
>> > have to add all users to the AllowUsers list.
>>
>>     Or simply add all of them to one of the groups specified in
>>     "AllowGroups".
>
> Yes I do understand how that would work. Yet me better explain what
> we would like to do: We have over 9000 users and about 100
> different
> groups. We would like to allow root ssh login to our machines but
> only from one or two machines. We like to have root login to be
> able to run remote commands to all our machines. So is there a way
> to limit roots login from one or two machines?

Hi Mark
This is what I do:
Disable root login via ssh entirely and set up 'sudo' and ssh-agents.
You can make quite impressive sudo setups. Look at
http://www.courtesan.com/sudo/

With this approach the root passwd are safe (both from ssh and from
other admin/users) and you can exec any command on any server without
the use of passwd if you use ssh-agents and every 'sudo' command is
logged. You know who did this and that .. and when.
Furthermore, add accounting on each server and add a central syslog(-ng)
server (if not done allready)

respectfully
/per
per at xterm.dk


>
> -Mark
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"





More information about the freebsd-security mailing list