Question restricting ssh access for some users only

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Oct 7 12:26:34 PDT 2004


On Thu, Oct 07, 2004 at 12:34:00PM -0600, Mark Ogden wrote:
> Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote:
> > On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden at eng.utah.edu> wrote:
> > > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote:
> > > > Hi Jim,
> > > >
> > > >
> > > But what if you have 1000 users? From my understanding you would have
> > > to add all users to the AllowUsers list.
> > 
> >     Or simply add all of them to one of the groups specified in "AllowGroups".
> 
> Yes I do understand how that would work. Yet me better explain what we
> would like to do: We have over 9000 users and about 100 different
> groups. We would like to allow root ssh login to our machines but only
> from one or two machines. We like to have root login to be able to run
> remote commands to all our machines. So is there a way to limit roots
> login from one or two machines?

Before any one else leaps in, you're going to get a lot of advice
saying "don't allow people to ssh into the root account directly: make
them log in to their own accound, and then use su(1) or sudo(1).
That's good advice.  However, to answer the question that was actually
asked:

Use the PermitRootLogin option in /etc/ssh/sshd_config to force the
people who are going to log in to use key based authentication:

    PermitRootLogin without-password

Then issue each person that should be able to log into the root a/c on
the box their own public/private key pair -- ie. get them to run
ssh-keygen(1) -- each key should have a different passphrase usable
only by the person it's issued to.

Copy the public keys into /root/.ssh/authorized_keys on the target
machine.  Edit that file to add the 'from="pattern-list"' restriction
on use of that key -- see the section AUTHORIZED_KEYS FILE FORMAT in
sshd(8).  Adding no-port-forwarding, no-X11-forwarding and/or
no-agent-forwarding as well is usually a good idea.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041007/de69d090/attachment.bin


More information about the freebsd-security mailing list