I'm trying to avoid having to do ssh tunnels. Low-maintenance/effort is
the goal. :)
Never heard of the Match Block thing. I'm investigating. Thanks for
the tip.
Shawn
On 12-02-14 04:38 PM, Mark Carlson wrote:
Hmm... I wonder if you can still indirectly log in as root remotely,
even if you are successful.
If you remotely logged in as a normal user, then set up a tunnel to
the SSH port on the machine, you may be able to log in as if you were
sitting at that machine.
-Mark C.
On Tue, Feb 14, 2012 at 4:31 PM, Mark Carlson<carlsonm...@gmail.com> wrote:
Did you try using a Match block in your sshd_config?
I've never done it, but I think you would add something like this to
the *end* of the file:
Match Address blah/24
PermitRootLogin yes
-Mark C.
On Tue, Feb 14, 2012 at 4:25 PM, Shawn<sgro...@open2space.com> wrote:
Correction. The external access is not blocking my login attempt. Sooo...
how do I block external SSH logins with the root account, but allow internal
SSH root logins? Thanks for any input. For now I've disabled Root logins.
On 12-02-14 04:12 PM, Shawn wrote:
I need to allow root logins over SSH from the local network, but deny
root logins from external networks.
So, I've added this to my /etc/security/access.conf:
+ : root : 172.16.1.0/24 #green network
+ : root : 160.1.1.0/24 #DMZ
- : root : ALL
(IPs have been changed to protect the innocent!)
And in my sshd_config file I have set
PermitRootLogin yes
PasswordAuthentication yes
UsePAM yes
(I also need to allow external users to connect sometimes, without an
SSH key. So the keyboard passwords are needed.)
This seems to be working, and I can connect from the internal network
with the root account (using my ssh key), yet external access via root
is being denied though it is allowing a password entry (and I used the
right password).
Is there a better way to set this sort of thing up? Specifically,
allowing root logins from the internal network but not remote networks?
(for the curious, I need root access internally so that I can use the
graphical tools (convenience!) to transfer files to the public web
server).
Thanks for any feedback.
Shawn
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
