- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Deny ssh root logins, but allow ssh remote command...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 03:13 AM
тАО01-19-2005 03:13 AM
/etc/securetty will prevent telnet logins as root, if it contains the line "console" and nothing else, but this does NOT prevent root remsh commands if /.rhosts is set up to allow it.
I want to know if the same type of thing is possible using ssh:
I want to deny root logins, but I want to allow remote ssh commands to be run as root (preferably only from one particular central admin server, if possible)
I am in the process of devising a plan to beef up security on our HP-UX systems, and I want to disable root logins, thus forcing people to login as themselves, then use su if/when they need root permissions, so we have an audit trail.
But I also want to run various scripts (on a central server) that collect info from all the others, both for monitoring purposes, and to collect up-to-date configuration info in case of disaster.
I know that setting "PermitRootLogin no" in sshd_config will prevent root logins, but it also prevents remote commands from my scripts.
It would be acceptable to permit root logins only from the central admin server (and the console, obviously). All systems are running HP-UX
Thanks in anticipation.
Solved! Go to Solution.
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 03:30 AM
тАО01-19-2005 03:30 AM
Re: Deny ssh root logins, but allow ssh remote commands?
Example, root can scp files to another system but will login as the other user in the SSH utility. PermitRootLogin no works on the scp, sftp, and other SSH utilities as well. Been trying to play with .shosts as well to no avail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 03:50 AM
тАО01-19-2005 03:50 AM
Re: Deny ssh root logins, but allow ssh remote commands?
Just get everybody to use certificates (even putty handles them) and disable password-based logins.
Unless somebody knows how to do it. It would be great if ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 06:37 AM
тАО01-19-2005 06:37 AM
Re: Deny ssh root logins, but allow ssh remote commands?
Attached is my usual document on how to do this.
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 05:53 PM
тАО01-19-2005 05:53 PM
Re: Deny ssh root logins, but allow ssh remote commands?
this is een example how inetd.sec looks by us
login deny
shell deny
exec deny
registrar allow xx.xxx.xx.xx
ftp allow xx.xx.xx.xxx\
xx.xx.xx.xxx\
now you can leave the entry in the sshd_config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 09:35 PM
тАО01-19-2005 09:35 PM
Re: Deny ssh root logins, but allow ssh remote commands?
command="/usr/bin/bart create -r -" ssh-dss AAAAB3NzaC1kc3MAAACBAJ6zG8SJtQVi/Et OugyktNssLVofLmUepqsh712+D1AObTwRWZwjSH4hE423U3AcfY99u9ZxsdJ0sEpqnnvXmKaym7pMgk NxMCPoPcnf4mAIcx9IQkpotAiCbCQ+My5lFD4iW4Nxjqh6KwIecEaABcpg2x5nhaX8Bsx0XURO/f+jA AAAFQCD6dOAM1JunvUeCWNpXoB6tLyLewAAAIAXya1UPijNFIjymsJ0gjQXyCgll8/tORHy2vrloH7v gh9RJ9YNRWSZZjyRvLlKTd4KFIfcjT43WlVWJKa/A7l14DGntoTS+dRh4MohJXdUjYMvV+OODc1j8V2 p+JWbbHlqDxa+zAuFEskoWNPmBrTnbLNzamIPnQ7ZaqWsbWuePQAAAIEAmqlCaMfuFYWlvDHeak79Fm xHJjRLqmvRwlPPtkW8XDuF8wn8lj/+glWWY6/VJVtbfgteZLweotdM2wvdfXNqROiU9vvlylOdv29iA DxsSlPGSrjXkbkNGQXMHTgPQmfbDhmtpnM6occl2R+J8dpDT59zWV7+egNZ0TTV8GNnmng= gmb@manager
For more details see: http://www.securitydocs.com/library/2649
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 10:18 PM
тАО01-19-2005 10:18 PM
Re: Deny ssh root logins, but allow ssh remote commands?
I have already set up ssh with and authorized_keys file on a couple of test systems, to allow passwordless logins from the admin server, and I run daily/weekly scripts on the admin server which execute remote remsh/ssh commands on all servers to collect system info for monitoring purposes, and also to keep a historical record of configurations for DR purposes. Some of these commands must be run under root.
I want to keep using these scripts after we convert all systems to ssh and disable inetd, but I do NOT want anyone to login directly as root (not even with a password) from any other place except the console. If there's no other way, it would be acceptible to allow root logins from the admin server as well, but not from anywhere else, even with a password.
Is there a way to either:
1) Block all root logins, but specify 1 or more exceptions, where root CAN login from?
2) Create a "blacklist" (hopefully allowing wildcards) to specify where root CANNOT login from?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 10:25 PM
тАО01-19-2005 10:25 PM
Re: Deny ssh root logins, but allow ssh remote commands?
The following test will check that. Prepare the /etc/hosts.deny as follows
ALL:ALL
(the first is the service name and second is the host/nw etc.)
Now, try to telnet/ssh and it will not work.
This will confirm that tcp wrappers is in built. Then prepare the /etc/hosts.allow file to allow logins from selective hosts/networks.
Also set sshd to start from inetd.conf.
Anil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 10:45 PM
тАО01-19-2005 10:45 PM
Re: Deny ssh root logins, but allow ssh remote commands?
If you create a different key for root and just distribute that to the admin server then only that server has interactive access via this key. Set the key options to "rootlogin = keyonly" to deny passwd login. Finally distribute a separate root key and then make it captive so that it only runs your scripts.
sshd_config has variables for limiting hosts, users, and groups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2005 10:56 PM
тАО01-19-2005 10:56 PM
Re: Deny ssh root logins, but allow ssh remote commands?
Unfortunately, specifying ALL:ALL in /etc/hosts.deny denies ALL users from logging in - not just root, no matter what's in hosts.allow.
I can't find a man page for hosts.allow or hosts.deny, and man hosts just covers /etc/hosts.
Is there a way to specify individual users in /etc/hosts.deny?
I tried a blank hosts.deny file, and just the admin server in /etc/hosts.allow, but that lets me in from other hosts as well.
Also, you say that the format of these files is HOST:NETWORK
Does specifying a network mean that users on any host on that network can login? Can I just specify 1 host that root can login from, and allow other users to login from anywhere?