[clug-talk] SSH Config questions

2012-02-14 Thread Shawn
I need to allow root logins over SSH from the local network, but deny root logins from external networks. So, I've added this to my /etc/security/access.conf: + : root : 172.16.1.0/24 #green network + : root : 160.1.1.0/24 #DMZ - : root : ALL (IPs have been changed to protect the innocent!)

Re: [clug-talk] SSH Config questions

2012-02-14 Thread Anand Singh
On 2012-02-14, at 4:12 PM, Shawn wrote: > I need to allow root logins over SSH from the local network, but deny root > logins from external networks. > > So, I've added this to my /etc/security/access.conf: > > + : root : 172.16.1.0/24 #green network > + : root : 160.1.1.0/24 #DMZ > - : root

Re: [clug-talk] SSH Config questions

2012-02-14 Thread Shawn
Correction. The external access is not blocking my login attempt. Sooo... how do I block external SSH logins with the root account, but allow internal SSH root logins? Thanks for any input. For now I've disabled Root logins. On 12-02-14 04:12 PM, Shawn wrote: I need to allow root logins ov

Re: [clug-talk] SSH Config questions

2012-02-14 Thread Shawn
I use certificate auth for the boxes I control (internal boxes, and my laptop). Using certificate auth for customers who need one-off type access (direct large file transfers, for example) is adding unnecessary overhead (IMO, for this particular use case). On 12-02-14 04:20 PM, Anand Singh wr

Re: [clug-talk] SSH Config questions

2012-02-14 Thread Mark Carlson
Did you try using a Match block in your sshd_config? I've never done it, but I think you would add something like this to the *end* of the file: Match Address blah/24 PermitRootLogin yes -Mark C. On Tue, Feb 14, 2012 at 4:25 PM, Shawn wrote: > Correction.  The external access is not block

Re: [clug-talk] SSH Config questions

2012-02-14 Thread Mark Carlson
Hmm... I wonder if you can still indirectly log in as root remotely, even if you are successful. If you remotely logged in as a normal user, then set up a tunnel to the SSH port on the machine, you may be able to log in as if you were sitting at that machine. -Mark C. On Tue, Feb 14, 2012 at 4:3

Re: [clug-talk] SSH Config questions

2012-02-14 Thread Shawn
I'm trying to avoid having to do ssh tunnels. Low-maintenance/effort is the goal. :) Never heard of the Match Block thing. I'm investigating. Thanks for the tip. Shawn On 12-02-14 04:38 PM, Mark Carlson wrote: Hmm... I wonder if you can still indirectly log in as root remotely, even if y

Re: [clug-talk] SSH Config questions

2012-02-14 Thread Andrew J. Kopciuch
On February 14, 2012, Mark Carlson wrote: > Did you try using a Match block in your sshd_config? > > I've never done it, but I think you would add something like this to > the *end* of the file: > > Match Address blah/24 > PermitRootLogin yes > > AFAIK you can have multiple conditions in the