OpenSSH Root user account restriction - revisited

One of our article generated few more question regarding root login issues over ssh session. One of reader (eMBee) asks, "I need something that allows me to say: allow any users except root from anywhere, and root only from localhost. (over ssh session)".
PAM offers very powerful authentication control. You need to use the pam_access PAM module, which is mainly for access management. It provides login access control based on
- Login names
- Host or domain names
- Internet addresses or network IP numbers
- Terminal line names etc
Why pam_access matters?
On a production server, authorized login can come from any networked computer. Therefore, it is important to have tight control over users who are allowed to connect server via OpenSSH server.
How do I configure pam_access?
You need to edit following files:
- /etc/pam.d/sshd - Linux PAM configuration file.
- /etc/security/access.conf - By default rules for access management are taken from configuration this file. When someone logs in, the entry in this scanned and matched against rule. You can specify whether the login will be accepted or refused to user. General syntax is as follows:
permission : username: origins
Where,
- permission : Permission field should be a "+" (access granted) or "-" (access denied)
character. - username : Linux system username/login name such as root, vivek etc. You can also specify group names. You can also use special keywod ALL (to match all username).
- origins : It is a list of one ore more tty names, host name, IP address, domain names that begin with . or special key words ALL or LOCAL
Let us say you want to allow user root and vivek login from IP address 202.54.1.20 only.
Open file /etc/security/access.conf
# vi /etc/security/access.conf
Append following line:
-: ALL EXCEPT root vivek:202.54.1.20
Save the file and Open /etc/pam.d/sshd file :
# vi /etc/pam.d/sshd
Append following entry
account required pam_access.so
Save and close the file.
Now ssh will only accept login access from root/vivek from IP address 202.54.1.20. Now if user vivek (or root) try to login ssh server from IP address 203.111.12.3 he will get
'Connection closed by xxx.xxx.xx.xx'; error and following log entry should be written to your log file:
# tailf /var/log/message
Output:
Aug 2 19:02:39 web02 pam_access[2091]: access denied for user `vivek' from `203.111.12.3'
Remember, as soon as you save changes to /etc/security/access.conf, they are applied by PAM configuration. So be careful when writing rules.
More examples
a) I need something that allows me to say: allow any users except root from anywhere, and root only from localhost.
-:root:ALL EXCEPT LOCAL
OR
-:root:ALL EXCEPT localhost
b) Deny network and local login to all users except for user root and vivek:
-:ALL EXCEPT root vivek:ALL
c) Only allow root user login from 192.168.1.0/24 network:
+ : root : 192.168.1.0/24
Please note that this kind of restriction can be applied to any PAM aware application/service such as ftpd, telnet etc.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or full RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in...
- nixCraft FAQ roundup
- Happy 8th Birthday, OpenSSH!
- Allow normal user to dialout Internet
- FreeBSD: Finding passwordless (no password) account and lock all accounts
- Download of the Day: OpenSSH Server 5.0 ( security fix release )
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
~ Last updated on: October 28, 2006


Weird! I added “account required pam_access.so” into “/etc/pam.d/sshd” and modify “/etc/security/access.conf” to
“-:ALL EXCEPT root:10.10.10.12″ but I still managed ssh login from other IP Address(e.g: 10.10.10.2, 10.10.10.3)
I found a solution:
vi /etc/security/access.conf and added this 2 lines
- : root : ALL
+ : root : 10.10.10.52.
and save.
[...] After read “OpenSSH Root user account restriction – revisited” article, I did a test on my testing server. [...]
You state that one should edit /etc/pam.d/sshd to enable the access.conf file. But this is not really what you should advise. What you should say is that one has to edit /etc/pam.d/ssh and add a line forcing usage of /etc/security/access.conf. If one just hacks on /etc/pam.d/sshd then anyone can still login since you have not configured PAM access.conf!
You have to modify /etc/pam.d/ssh not /etc/pam.d/sshd
The file name changes from one Linux distro to another. So it may be ssh or sshd.
That’s because pam_access scans access.conf for the first entry that matches the (user, host) combination. Your line does not match any address except 10.10.10.12, so you have denied all users except root from logging in from 10.10.10.12. The line does not effect connections from any other host.