RE: Negated patterns in AllowedUsers
I thik the better way is to just uncomment the following line in /etc/ssh/sshd_config: #PermitRootLogin yes And change it to: PermitRootLogin no My 2 cents, FasT >> On Thu, Sep 06, 2007 at 01:52:17AM +0200, Radek Hladik wrote:> >> Hi, >> all I wanted was to force SSHd to accept root logins only from >> localhost. > If nobody else comes up with an answer, then try this one: > Run two (or more) instances of sshd. Bind one of them to the loopback > interface, and let it allow root users. Bind the other(s) to the "real" > network interface(s), and let them deny root users.
Re: Negated patterns in AllowedUsers
With PAM in /etc/pam.d/sshd you can especify the root only to login from a certain IP address On 9/7/07, Greg Wooledge <[EMAIL PROTECTED]> wrote: > On Thu, Sep 06, 2007 at 01:52:17AM +0200, Radek Hladik wrote: > > Hi, > > all I wanted was to force SSHd to accept root logins only from > > localhost. > > If nobody else comes up with an answer, then try this one: > > Run two (or more) instances of sshd. Bind one of them to the loopback > interface, and let it allow root users. Bind the other(s) to the "real" > network interface(s), and let them deny root users. >
Re: Negated patterns in AllowedUsers
On Thu, Sep 06, 2007 at 01:52:17AM +0200, Radek Hladik wrote: > Hi, > all I wanted was to force SSHd to accept root logins only from > localhost. If nobody else comes up with an answer, then try this one: Run two (or more) instances of sshd. Bind one of them to the loopback interface, and let it allow root users. Bind the other(s) to the "real" network interface(s), and let them deny root users.
Re: Negated patterns in AllowedUsers
Hi, all I wanted was to force SSHd to accept root logins only from localhost. More detailed description: We have SSH keys stored on smart cards and we use them to login as root to our servers. Now we use PermitRoot without-password, which enables us to control which smartcard can log on as root via /root/.ssh/authorized_keys. (I am planning to move this to LDAP but it is another story). I was just trying to secure it a little bit more as user would need to login as nonroot user and then do ssh [EMAIL PROTECTED] I thought that it will be like 5 minutes to setup but I've run into described SSHD strange behavior regarding AllowedUsers. I do not want sudo or su as they can not use SSH key infrastructure and agent forwarding. But for clarification I can say that I am looking for su which could authenticate me with my SSH key instead of password. I know that root logging with key on smartcard via network is secure enough (and sufficient enough for us). I also know that I could use pam_wheel, but what I am asking is why does SSHd behave so strangely. Maybe there is some reason and I just do not see it... Radek Johan Karlström napsal(a): Hi Radek, You should use sudo command/functionality. If that doesn't solve what you asking about then please explain more about what you try to achieve. Regards Hi, I need to login locally via ssh not by console. I want to incorporate SSH keys and agent forwaring to verify who can logon as root. Radek Christian Grunfeld napsal(a): Hi, for root user is quite easy. Just put PermitRootLogin No in sshd_config This only allow you to login thru local console Christian 2007/9/2, Radek Hladik <[EMAIL PROTECTED]>: Hi, I am a little bit confused about patterns behavior when used in AllowedUsers directive. I am trying to limit root logins to localhost. First I tried AllowedUsers [EMAIL PROTECTED] !root which should enable root from localhost and all nonroot users from anywhere. However the username part is matched with match_pattern function and this function does not take ! into account (see func match_user in match.c). Secondly I tried DenyUsers [EMAIL PROTECTED] which should deny root when logging from anywhere but localhost. Function match_host_and_ip does call match_hostname which calls match_pattern_list. But if match_hostname function returns -1 which means "match found and negation was requested", match_host_and_ip return false as there would be no match. As fact at least one _positive_ match is required to return true: /* negative ipaddr match */ if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) return 0; /* negative hostname match */ if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) return 0; /* no match at all */ if (mhost == 0 && mip == 0) return 0; return 1; Is there any reason for such a behavior? And is there any other way how to limit root to localhost in sshd? I know I can limit it i.e. via pam_access but I would expect sshd to be able to do it. Radek Hladik P.S. Version of OpenSSH is openssh-4.5p1 Mvh Johan Karlström - VD NetRoad AB 0705-423 470
Re: Negated patterns in AllowedUsers
Hi, I need to login locally via ssh not by console. I want to incorporate SSH keys and agent forwaring to verify who can logon as root. Radek Christian Grunfeld napsal(a): Hi, for root user is quite easy. Just put PermitRootLogin No in sshd_config This only allow you to login thru local console Christian 2007/9/2, Radek Hladik <[EMAIL PROTECTED]>: Hi, I am a little bit confused about patterns behavior when used in AllowedUsers directive. I am trying to limit root logins to localhost. First I tried AllowedUsers [EMAIL PROTECTED] !root which should enable root from localhost and all nonroot users from anywhere. However the username part is matched with match_pattern function and this function does not take ! into account (see func match_user in match.c). Secondly I tried DenyUsers [EMAIL PROTECTED] which should deny root when logging from anywhere but localhost. Function match_host_and_ip does call match_hostname which calls match_pattern_list. But if match_hostname function returns -1 which means "match found and negation was requested", match_host_and_ip return false as there would be no match. As fact at least one _positive_ match is required to return true: /* negative ipaddr match */ if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) return 0; /* negative hostname match */ if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) return 0; /* no match at all */ if (mhost == 0 && mip == 0) return 0; return 1; Is there any reason for such a behavior? And is there any other way how to limit root to localhost in sshd? I know I can limit it i.e. via pam_access but I would expect sshd to be able to do it. Radek Hladik P.S. Version of OpenSSH is openssh-4.5p1
Re: Negated patterns in AllowedUsers
Hi, for root user is quite easy. Just put PermitRootLogin No in sshd_config This only allow you to login thru local console Christian 2007/9/2, Radek Hladik <[EMAIL PROTECTED]>: > Hi, > I am a little bit confused about patterns behavior when used in > AllowedUsers directive. I am trying to limit root logins to localhost. > First I tried > AllowedUsers [EMAIL PROTECTED] !root > which should enable root from localhost and all nonroot users from > anywhere. However the username part is matched with match_pattern > function and this function does not take ! into account (see func > match_user in match.c). > Secondly I tried > DenyUsers [EMAIL PROTECTED] > which should deny root when logging from anywhere but localhost. > Function match_host_and_ip does call match_hostname which calls > match_pattern_list. But if match_hostname function returns -1 which > means "match found and negation was requested", match_host_and_ip return > false as there would be no match. As fact at least one _positive_ match > is required to return true: > > /* negative ipaddr match */ > if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) > return 0; > /* negative hostname match */ >if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) > return 0; > /* no match at all */ >if (mhost == 0 && mip == 0) > return 0; > return 1; > > Is there any reason for such a behavior? And is there any other way how > to limit root to localhost in sshd? I know I can limit it i.e. via > pam_access but I would expect sshd to be able to do it. > > > Radek Hladik > > > P.S. Version of OpenSSH is openssh-4.5p1 >
Negated patterns in AllowedUsers
Hi, I am a little bit confused about patterns behavior when used in AllowedUsers directive. I am trying to limit root logins to localhost. First I tried AllowedUsers [EMAIL PROTECTED] !root which should enable root from localhost and all nonroot users from anywhere. However the username part is matched with match_pattern function and this function does not take ! into account (see func match_user in match.c). Secondly I tried DenyUsers [EMAIL PROTECTED] which should deny root when logging from anywhere but localhost. Function match_host_and_ip does call match_hostname which calls match_pattern_list. But if match_hostname function returns -1 which means "match found and negation was requested", match_host_and_ip return false as there would be no match. As fact at least one _positive_ match is required to return true: /* negative ipaddr match */ if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) return 0; /* negative hostname match */ if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) return 0; /* no match at all */ if (mhost == 0 && mip == 0) return 0; return 1; Is there any reason for such a behavior? And is there any other way how to limit root to localhost in sshd? I know I can limit it i.e. via pam_access but I would expect sshd to be able to do it. Radek Hladik P.S. Version of OpenSSH is openssh-4.5p1