topic Re: SSH Restrict of Direct Root Login in Operating System - Linux

SSH Restrict of Direct Root Login

Pawan_1 — Thu, 02 Feb 2006 12:53:08 GMT

Am trying to disable direct root login to the servers, but allow them to scp or sftp using keys from an authorised server. Somehow when the variable in sshd_config "PermitRootLogin forced-commands-only" is set, it does not allow remote executions of command also and keeps on asking for password. Has anyone implemented the same without specifying which commands to execute ? Thanks

Re: SSH Restrict of Direct Root Login

Steven E. Protter — Thu, 02 Feb 2006 14:12:34 GMT

Shalom Pawan,

So you are saying prior to setting that variable in sshd_config password free access worked?

If unsure, please set it back to default and re-test. Also I reccomend checking the ownerhip and permissions of the users home directory to see if something got messed up.

SEP

Re: SSH Restrict of Direct Root Login

Ivan Ferreira — Thu, 02 Feb 2006 14:19:09 GMT

Check this page, it may help you and give you some additional tips about how to configure forced-commands-only:

http://www.jdmz.net/ssh/

Re: SSH Restrict of Direct Root Login

Pawan_1 — Thu, 02 Feb 2006 14:24:50 GMT

Hi.
Sorry for the confusion:

-We want to restrict "root" account to login only from the console.
-For that we modified the file ssd_config to add : PermitRootLogin forced-commands-only

This helped us prevent the direct login's. But now from our trusted system, we cannot issue commands scp / sftp with root login's as its asking for password.

Re: SSH Restrict of Direct Root Login

Pawan_1 — Thu, 02 Feb 2006 14:26:32 GMT

Thanks that will help.

Re: SSH Restrict of Direct Root Login

Pawan_1 — Fri, 03 Feb 2006 12:45:14 GMT

Well followed the Article and have configured "rsync" to work with the forced-commands-only option.Here is the how the file looks like:
#!/bin/ksh

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;

*)
echo "Rejected"
;;
esac

--Now I want to include "scp" and "sftp" also in this file and the question is what should be the string. I have tried different comninations in this file and it does not work.

Re: SSH Restrict of Direct Root Login

Bill Thorsteinson — Mon, 06 Feb 2006 11:16:13 GMT

SCP and SFTP are built-in functionality.
Look at the options for the key file.

Try using scp -v and sftp -v to see what
is happening. It looks like scp is
invoked as a command, and sftp as a subsystem.
You may need separte keys for these two
functionalities.