HPE Community
Operating System - Linux
1819804 Members
2985 Online
109607 Solutions
New Discussion юеВ

SSH Restrict of Direct Root Login

 
Pawan_1
Frequent Advisor

тАО02-02-2006 04:53 AM

тАО02-02-2006 04:53 AM

SSH Restrict of Direct Root Login

Am trying to disable direct root login to the servers, but allow them to scp or sftp using keys from an authorised server. Somehow when the variable in sshd_config "PermitRootLogin forced-commands-only" is set, it does not allow remote executions of command also and keeps on asking for password. Has anyone implemented the same without specifying which commands to execute ? Thanks
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

тАО02-02-2006 06:12 AM

тАО02-02-2006 06:12 AM

Re: SSH Restrict of Direct Root Login

Shalom Pawan,

So you are saying prior to setting that variable in sshd_config password free access worked?

If unsure, please set it back to default and re-test. Also I reccomend checking the ownerhip and permissions of the users home directory to see if something got messed up.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО02-02-2006 06:19 AM

тАО02-02-2006 06:19 AM

Re: SSH Restrict of Direct Root Login

Check this page, it may help you and give you some additional tips about how to configure forced-commands-only:

http://www.jdmz.net/ssh/
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Pawan_1
Frequent Advisor

тАО02-02-2006 06:24 AM

тАО02-02-2006 06:24 AM

Re: SSH Restrict of Direct Root Login

Hi.
Sorry for the confusion:

-We want to restrict "root" account to login only from the console.
-For that we modified the file ssd_config to add : PermitRootLogin forced-commands-only

This helped us prevent the direct login's. But now from our trusted system, we cannot issue commands scp / sftp with root login's as its asking for password.
0 Kudos
Reply
Pawan_1
Frequent Advisor

тАО02-02-2006 06:26 AM

тАО02-02-2006 06:26 AM

Re: SSH Restrict of Direct Root Login

Thanks that will help.
0 Kudos
Reply
Pawan_1
Frequent Advisor

тАО02-03-2006 04:45 AM

тАО02-03-2006 04:45 AM

Re: SSH Restrict of Direct Root Login

Well followed the Article and have configured "rsync" to work with the forced-commands-only option.Here is the how the file looks like:
#!/bin/ksh

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;

*)
echo "Rejected"
;;
esac

--Now I want to include "scp" and "sftp" also in this file and the question is what should be the string. I have tried different comninations in this file and it does not work.
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

тАО02-06-2006 03:16 AM

тАО02-06-2006 03:16 AM

Re: SSH Restrict of Direct Root Login

SCP and SFTP are built-in functionality.
Look at the options for the key file.

Try using scp -v and sftp -v to see what
is happening. It looks like scp is
invoked as a command, and sftp as a subsystem.
You may need separte keys for these two
functionalities.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.