On 2012-02-14, at 4:12 PM, Shawn wrote: > I need to allow root logins over SSH from the local network, but deny root > logins from external networks. > > So, I've added this to my /etc/security/access.conf: > > + : root : 172.16.1.0/24 #green network > + : root : 160.1.1.0/24 #DMZ > - : root : ALL > > (IPs have been changed to protect the innocent!) > > And in my sshd_config file I have set > PermitRootLogin yes > PasswordAuthentication yes > UsePAM yes > > (I also need to allow external users to connect sometimes, without an SSH > key. So the keyboard passwords are needed.) > > This seems to be working, and I can connect from the internal network with > the root account (using my ssh key), yet external access via root is being > denied though it is allowing a password entry (and I used the right password). > > Is there a better way to set this sort of thing up? Specifically, allowing > root logins from the internal network but not remote networks? > > (for the curious, I need root access internally so that I can use the > graphical tools (convenience!) to transfer files to the public web server). > > Thanks for any feedback. > > Shawn
Would using certificate auth instead of password auth render the internal/external config moot? Also, I'm pretty sure programs like kdesu let non-root users run X apps as root over ssh. Anand. _______________________________________________ clug-talk mailing list clug-talk@clug.ca http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
