Re: blocking ssh Root Logins
On Tuesday 22 March 2005 02:11, Roberto C. Sanchez wrote:
> Rob Sims wrote:
> > On Mon, Mar 21, 2005 at 11:54:56AM -0600, Martin McCormick wrote:
> >>Hal Vaughan and others write:
> >>>Yes, according to "man sshd_config", you can disable root login by
> >>> editing the /etc/ssh/sshd_config file. If you see "PermitRootLogin
> >>> Yes" change the yes to no. If you don't see it, add the line, but with
> >>> a "no". It's possible the line could be commented out (the default is
> >>> to permit).
> >>
I presume you have set up sshd to validate the user via a local login. One
alternative is to turn that sort of validation off, and only allow the user
access if you have his public key in the ~/.ssh/authorized_keys file.
I have my main server set that way, and the only authorized user
in /root/.ssh/authorized_keys is the unique key combination reserved from my
local workstation.
If I use my laptop to come in from outside, it has a set of keys which only
allow me to connect to my user account, requiring an su with password to get
at root.
That way, whilst inside my network at home I have direct access to root with
an "ssh root@servername" but from outside I have to "ssh alan@servername" and
su.
As added ergonomics with security, the internal ssh private key has no
passphrase, whilst the one on my laptop has a substantial passphrase - just
in case I loose the laptop.
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
Reply to: