Re: [clug-talk] SSH Config questions

Tue, 14 Feb 2012 15:31:43 -0800

I use certificate auth for the boxes I control (internal boxes, and my laptop). Using certificate auth for customers who need one-off type access (direct large file transfers, for example) is adding unnecessary overhead (IMO, for this particular use case). 

On 12-02-14 04:20 PM, Anand Singh wrote:


On 2012-02-14, at 4:12 PM, Shawn wrote:


I need to allow root logins over SSH from the local network, but deny root 
logins from external networks.

So, I've added this to my /etc/security/access.conf:

+ : root : 172.16.1.0/24 #green network
+ : root : 160.1.1.0/24  #DMZ
- : root : ALL

(IPs have been changed to protect the innocent!)

And in my sshd_config file I have set
  PermitRootLogin yes
  PasswordAuthentication yes
  UsePAM yes

(I also need to allow external users to connect sometimes, without an SSH key.  
So the keyboard passwords are needed.)

This seems to be working, and I can connect from the internal network with the 
root account (using my ssh key), yet external access via root is being denied 
though it is allowing a password entry (and I used the right password).

Is there a better way to set this sort of thing up?  Specifically, allowing 
root logins from the internal network but not remote networks?

(for the curious, I need root access internally so that I can use the graphical 
tools (convenience!) to transfer files to the public web server).

Thanks for any feedback.

Shawn


Would using certificate auth instead of password auth render the 
internal/external config moot?  Also, I'm pretty sure programs like kdesu let 
non-root users run X apps as root over ssh.

Anand.
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying


_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying






















					Reply via email to