Thanks for the tip Mark. The Match block idea works. At least for the
internal network. I need to hook up the laptop again tomorrow to test
the external access.
So, the solution is to add this at the very bottom of the
/etc/ssh/sshd_config file:
Match Address 172.16.0.0/16 #adjust to match your network
PermitRootLogin yes
And make sure the PermitRootLogin option (around line 25 in my file) is
NOT set to "yes". In my case this line was commented out, but the
default value seems to be "yes". I had to set "PermitRootLogin no".
I also had to undo my changes to the /etc/security/access.conf file from
an earlier attempt at allowing root logins from the internal network.
Shawn
On 12-02-14 04:31 PM, Mark Carlson wrote:
Did you try using a Match block in your sshd_config?
I've never done it, but I think you would add something like this to
the *end* of the file:
Match Address blah/24
PermitRootLogin yes
-Mark C.
On Tue, Feb 14, 2012 at 4:25 PM, Shawn<sgro...@open2space.com> wrote:
Correction. The external access is not blocking my login attempt. Sooo...
how do I block external SSH logins with the root account, but allow internal
SSH root logins? Thanks for any input. For now I've disabled Root logins.
On 12-02-14 04:12 PM, Shawn wrote:
I need to allow root logins over SSH from the local network, but deny
root logins from external networks.
So, I've added this to my /etc/security/access.conf:
+ : root : 172.16.1.0/24 #green network
+ : root : 160.1.1.0/24 #DMZ
- : root : ALL
(IPs have been changed to protect the innocent!)
And in my sshd_config file I have set
PermitRootLogin yes
PasswordAuthentication yes
UsePAM yes
(I also need to allow external users to connect sometimes, without an
SSH key. So the keyboard passwords are needed.)
This seems to be working, and I can connect from the internal network
with the root account (using my ssh key), yet external access via root
is being denied though it is allowing a password entry (and I used the
right password).
Is there a better way to set this sort of thing up? Specifically,
allowing root logins from the internal network but not remote networks?
(for the curious, I need root access internally so that I can use the
graphical tools (convenience!) to transfer files to the public web
server).
Thanks for any feedback.
Shawn
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
clug-talk@clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
