On 9 Nov 2002, Bret Hughes wrote: > On Fri, 2002-11-08 at 12:00, Richard Nghiem wrote: > > Hello, > > > > I have restricted root login to all my machines through ssh by setting > > "PermitRootLogin no". I do most of my work as root and distribute > > configs files through scp to the correct places. Currently I have to su > > -l after I login as myself. Is there any way that I can restrict root > > logins to a specific ip without running multiple ssh daemons on > > different ports? > > > > Not that I know of but I feel your pain. it would be a neat feature. > As long as you disallow password authentication and use a key that > requires a passphrase you should be ok. That is what I do on the > machines that regularly send files to as root.
Here is what you could do. Set PermitRootLogin to yes and use the pam_access.so module to restrict direct root access to the server. Add the following pam_access line to /etc/pamd.d/sshd: account required /lib/security/pam_access.so The /etc/pam.d/ssh should look like: auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_access.so account required /lib/security/pam_stack.so service=system-auth ... Add the following line to /etc/security/access.conf: -:root :ALL EXCEPT adminserver With this method, everyone should still be able to ssh from any server. And you should be able to do direct root logins only from "adminserver". Make sure you test it thorougly since I didn't test it. Good luck! Werner -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
