Hmm... I wonder if you can still indirectly log in as root remotely, even if you are successful.
If you remotely logged in as a normal user, then set up a tunnel to the SSH port on the machine, you may be able to log in as if you were sitting at that machine. -Mark C. On Tue, Feb 14, 2012 at 4:31 PM, Mark Carlson <carlsonm...@gmail.com> wrote: > Did you try using a Match block in your sshd_config? > > I've never done it, but I think you would add something like this to > the *end* of the file: > > Match Address blah/24 > PermitRootLogin yes > > > -Mark C. > > On Tue, Feb 14, 2012 at 4:25 PM, Shawn <sgro...@open2space.com> wrote: >> Correction. The external access is not blocking my login attempt. Sooo... >> how do I block external SSH logins with the root account, but allow internal >> SSH root logins? Thanks for any input. For now I've disabled Root logins. >> >> >> On 12-02-14 04:12 PM, Shawn wrote: >>> >>> I need to allow root logins over SSH from the local network, but deny >>> root logins from external networks. >>> >>> So, I've added this to my /etc/security/access.conf: >>> >>> + : root : 172.16.1.0/24 #green network >>> + : root : 160.1.1.0/24 #DMZ >>> - : root : ALL >>> >>> (IPs have been changed to protect the innocent!) >>> >>> And in my sshd_config file I have set >>> PermitRootLogin yes >>> PasswordAuthentication yes >>> UsePAM yes >>> >>> (I also need to allow external users to connect sometimes, without an >>> SSH key. So the keyboard passwords are needed.) >>> >>> This seems to be working, and I can connect from the internal network >>> with the root account (using my ssh key), yet external access via root >>> is being denied though it is allowing a password entry (and I used the >>> right password). >>> >>> Is there a better way to set this sort of thing up? Specifically, >>> allowing root logins from the internal network but not remote networks? >>> >>> (for the curious, I need root access internally so that I can use the >>> graphical tools (convenience!) to transfer files to the public web >>> server). >>> >>> Thanks for any feedback. >>> >>> Shawn >>> >>> _______________________________________________ >>> clug-talk mailing list >>> clug-talk@clug.ca >>> http://clug.ca/mailman/listinfo/clug-talk_clug.ca >>> Mailing List Guidelines (http://clug.ca/ml_guidelines.php) >>> **Please remove these lines when replying >> >> >> _______________________________________________ >> clug-talk mailing list >> clug-talk@clug.ca >> http://clug.ca/mailman/listinfo/clug-talk_clug.ca >> Mailing List Guidelines (http://clug.ca/ml_guidelines.php) >> **Please remove these lines when replying _______________________________________________ clug-talk mailing list clug-talk@clug.ca http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
