thanks

thanks any help

Yes, you can do that. It seems to work somewhat although it still asks for a password from elsewhere.
Now I can have my “alias sshdo=’ssh root@localhost’” combined with ssh-agent :)

PermitRootLogin without-password

This method works with ubuntu linux. Not in Freebsd,

Any idea for resolving

I have yet to find a decent working solution that does not rely on multiple instances or external dependencies (eg PAM) but I have it can be done however how is another animal completely.

Thanx again for the advice

Your best option may well just be a seperate sshd process that listens on a different port, that only allows root access. I would combine that with iptables (or other firewall) to only accept incoming connections to your second sshd port from your known/allowed hosts. Then, just update your automated scrips to connect to your non-standard port. Not too bad, considering that once you get it set up, it should run forever. Any localhost root users should be smart enough to accomodate the non-standart port assignment.

Cheers,
LinuxLuser

Like eMBee, I am trying to deny root login from everywhere EXCEPT a specific host which is used to run automated remote tasks as root through ssh using keys.

I have tried combinations AllowUser, DenyUsers to no avail.
sshd_config takes preference over ssh_config so host definitions get overridden by the sshd_config entry “PermitRootLogin no”

Using PAM restrictions is not really an option as this is an AIX box.

Any idea as too how to achieve this would be greatly appreciated!
- Michael

I tried adding AllowUsers and restarting the sshd server but it still allows other users to ssh.
It does not restrict users too… I even tried DenyUsers nothing works…. Need help.

Thank you.
Regards,
Ram

Above denies root to login remotely but is able to login locally on the console.

Use sudo to give access to sys admins.

how can i restrict a user to view others folder except his own folder after login?

thanks

steve

i look forward to try the suggestions in nixcrafts new article soon.

AllowUsers: root@localhost
AllowGroups: users

the result was that noone could login, even adding root to the group users didn’t help.

There is also a iptables module which attempts to match various characteristics of the packet creator (both INPUT and OUTPUT chain) but it is badly broken and it may not work on SMP system at all.

I will post more info about login access control tables soon. See URL: http://www.cyberciti.biz/tips/openssh-root-user-account-restriction-revisited.html

Have you evaluated or considered sudo option? I use sudo extensively here. Although it is not 100% perfect but better than sharing root password. It also log down all failed (or command access) messages. Sudo is your best option, IMPO.

Let me know if you are aware of any other tools or methods….

AllowUsers says in the documentation:
“If specified, login is allowed only for user names that match one of the patterns.”

that means ALL OTHER users will be blocked, which is not desired either. i need something that allows me to say: allow any users except root from anywhere, and root only from localhost.

there may be a way to combine AllowUsers and AllowGroups, but the docs say nothing about how those two would interact.