On Wed, 14 May 2008, J.Bakshi wrote: > Quoting Siddhartha Basu <[EMAIL PROTECTED]>: > > > On Tue, 06 May 2008, Prashanth wrote: > > > > > Hi Bakshi, > > > > > > On Tue, May 6, 2008 at 9:58 AM, J.Bakshi <[EMAIL PROTECTED]> > > wrote: > > > > > > > > I like to configure the sshd such a way that the user root > > when login through ssh to the remote server then no one else >can > > login (through ssh) > > > > > > add a access control in the /etc/security/access.conf denying > > access > > > for the non-root users(location of this file is different for > > > different distro if you are using redhat its /etc/hosts.allow or > > > /etc/host.deny). > > > > Well, according to OP the configuration should be conditional, such > > that > > when user 'root' is logged in through ssh other users should be > > blocked > > and vice versa. So, the deny/allow conf atleast should check for > > logged > > user before denying the request. I wonder how that could be plugged > > in > > to any of the /etc/hosts.allow or /etc/hosts.deny file. I couldn't > > figured it out, any ideas ? > > > > -siddhartha > > I like to clarify one point here. I'm not talking about "other user" but the > point is minimizing the log-in session from the same user. For an example > say root is also logged in through ssh. and I like *no more root login* > should be possible through ssh. Hence you can imagine that only a single root > session is defined some how so that only a single root login is possible at a > particular time. But I have not found any configuration to do that. > > with regards,
So, it boils down to checking for(in this case root) logged user during an ssh based login attempt. Now, checking for logged user in a system should not be terribly difficult, however what i could'nt figured out is how to connect that part to a ssh login attempt and issue a denial/grant as neccessary. The /etc/hosts.allow(deny) file do allow for calling external commands/scripts, however i don't know how to make it conditional(kind of if-else-then). I suspect there are some alternate/elegant solution, hopefully somebody might chime in. -siddhartha > > > > > > > > > > > > > > > > > > > > -- > > > regards, > > > > > > Prashanth > > > http://munichlinux.blogspot.com > > > _______________________________________________ > > > Ilug-cal-discuss mailing list > > > [email protected] > > > http://list.ilug-cal.org/mailman/listinfo/ilug-cal-discuss > > _______________________________________________ > > Ilug-cal-discuss mailing list > > [email protected] > > http://list.ilug-cal.org/mailman/listinfo/ilug-cal-discuss > > > > ---------------------------------------------------------------------- > Free pop3 email with a spam filter. > http://www.bluebottle.com/tag/5 > > _______________________________________________ > Ilug-cal-discuss mailing list > [email protected] > http://list.ilug-cal.org/mailman/listinfo/ilug-cal-discuss _______________________________________________ Ilug-cal-discuss mailing list [email protected] http://list.ilug-cal.org/mailman/listinfo/ilug-cal-discuss
