Re: [clug-talk] SSH Config questions

Tue, 14 Feb 2012 15:32:06 -0800 

Did you try using a Match block in your sshd_config?

I've never done it, but I think you would add something like this to
the *end* of the file:

Match Address blah/24
    PermitRootLogin yes


-Mark C.

On Tue, Feb 14, 2012 at 4:25 PM, Shawn <sgro...@open2space.com> wrote:
> Correction.  The external access is not blocking my login attempt. Sooo...
> how do I block external SSH logins with the root account, but allow internal
> SSH root logins?  Thanks for any input.  For now I've disabled Root logins.
>
>
> On 12-02-14 04:12 PM, Shawn wrote:
>>
>> I need to allow root logins over SSH from the local network, but deny
>> root logins from external networks.
>>
>> So, I've added this to my /etc/security/access.conf:
>>
>> + : root : 172.16.1.0/24 #green network
>> + : root : 160.1.1.0/24 #DMZ
>> - : root : ALL
>>
>> (IPs have been changed to protect the innocent!)
>>
>> And in my sshd_config file I have set
>> PermitRootLogin yes
>> PasswordAuthentication yes
>> UsePAM yes
>>
>> (I also need to allow external users to connect sometimes, without an
>> SSH key. So the keyboard passwords are needed.)
>>
>> This seems to be working, and I can connect from the internal network
>> with the root account (using my ssh key), yet external access via root
>> is being denied though it is allowing a password entry (and I used the
>> right password).
>>
>> Is there a better way to set this sort of thing up? Specifically,
>> allowing root logins from the internal network but not remote networks?
>>
>> (for the curious, I need root access internally so that I can use the
>> graphical tools (convenience!) to transfer files to the public web
>> server).
>>
>> Thanks for any feedback.
>>
>> Shawn
>>
>> _______________________________________________
>> clug-talk mailing list
>> clug-talk@clug.ca
>> http://clug.ca/mailman/listinfo/clug-talk_clug.ca
>> Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
>> **Please remove these lines when replying
>
>
> _______________________________________________
> clug-talk mailing list
> clug-talk@clug.ca
> http://clug.ca/mailman/listinfo/clug-talk_clug.ca
> Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
> **Please remove these lines when replying

_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying

Reply via email to