HPE Community
Operating System - HP-UX
1855586 Members
1961 Online
104112 Solutions
New Discussion

Re: sshd config

 
SOLVED
Go to solution
Andrew medhurst1
Frequent Advisor

‎09-28-2009 03:56 AM

‎09-28-2009 03:56 AM

sshd config

guys how can i restrict root login to 1 server.
i nee to enable root login but want to restrict it so that only 1 node can achieve direct root login, i have been searching though SSHD_config but not obvious how i can achieve.
all answers gartefully rewarded.
regards
andrew
0 Kudos
Reply
4 REPLIES 4
Michal Kapalka (mikap)
Honored Contributor

‎09-28-2009 04:07 AM

‎09-28-2009 04:07 AM

Re: sshd config

hi,

check this link :

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=866540


mikap
Reply
sachit patil
Regular Advisor

‎09-28-2009 04:13 AM

‎09-28-2009 04:13 AM

Re: sshd config

you can enble in sshd_config file



# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes


0 Kudos
Reply
kobylka
Valued Contributor

‎09-28-2009 04:13 AM

‎09-28-2009 04:13 AM

Solution

Re: sshd config

Hello Andrew!


To allow root logins from a specified client machine:

PermitRootLogin yes

and change AllowUsers to allow root log ins only from the specified client machine:

AllowUsers root@client_machine

The AllowUsers will affect all other users as well, if they are not listed there, they won't be able to connect to sshd (add users separated by space). Keep this in mind :)

Also, a quite common headbreaking problem is that sshd tries to reverse lookup the ip of the client, if it doesn't resolve to the specified hostname, you will be denied access.


Kind regards,

Kobylka
Reply
Jannik
Honored Contributor

‎09-28-2009 10:36 AM

‎09-28-2009 10:36 AM

Re: sshd config

If you use keys you could restrict the login in the authorized_keys.

from="*.eng.cam.ac.uk,!untrusted.eng.cam.ac.uk"

You still need to set the PermitRootLogin to yes, but you could change the root password to something very difficult. You could disable passwords for root (create a backdoor if it does not work like sudo).

You could use sudo in a combination with ssh-keys and NOPASSWD in the sudoers file.
jaton
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.