Comments on: OpenSSH Root user account restriction – revisited

By: Peter L

Peter L — Mon, 21 Dec 2009 23:19:29 +0000

I found that the order of entries in /etc/pam.d/sshd matters. Line “account required pam_access.so” must be prepended, not appended to the end of the file. It must appear before the other “account” lines. Otherwise great guide – thanks dude!

By: Max

Max — Wed, 24 Jun 2009 23:50:07 +0000

How do you edit the access line to accept a group name with a space in it?:
-:ALL EXCEPT Domain Users :ALL seems to read the groups as Domain and Users. adding “quotes” didn’t work either.

By: James

James — Thu, 04 Jun 2009 20:52:30 +0000

@Thorne

Actually, OpenSSH does support a multitude of Allow/Deny mechanisms, though I believe they are all ANDed together. Thus, obtaining the behavior described in the intro to this page is not possible with OpenSSH alone. Here are the Allow/Deny mechanisms supported by OpenSSH.

AllowGroups
AllowTcpForwarding
AllowUsers
DenyGroups
DenyUsers

By: Khandakar Ashfaqur Rahman

Khandakar Ashfaqur Rahman — Thu, 19 Mar 2009 05:59:01 +0000

Good Solution.

Regards,
Rigan

By: Thorne Lawler

Thorne Lawler — Wed, 14 Jan 2009 02:52:40 +0000

How should this (fairly obvious, common) restriction be implemented on systems which do not use PAM?

I’m quite disappointed with the OpenSSH dev team for this: A multitude of other Allow/Deny mechanisms have supported this kind of behaviour for longer than I’ve been alive. Why the great leap backwards?

By: Matthew Feinberg

Matthew Feinberg — Tue, 03 Oct 2006 18:26:12 +0000

That’s because pam_access scans access.conf for the first entry that matches the (user, host) combination. Your line does not match any address except 10.10.10.12, so you have denied all users except root from logging in from 10.10.10.12. The line does not effect connections from any other host.

By: nixcraft

nixcraft — Wed, 30 Aug 2006 14:31:47 +0000

The file name changes from one Linux distro to another. So it may be ssh or sshd.

By: jeremiah

jeremiah — Wed, 30 Aug 2006 14:03:31 +0000

You have to modify /etc/pam.d/ssh not /etc/pam.d/sshd

By: jeremiah

jeremiah — Wed, 30 Aug 2006 14:02:30 +0000

You state that one should edit /etc/pam.d/sshd to enable the access.conf file. But this is not really what you should advise. What you should say is that one has to edit /etc/pam.d/ssh and add a line forcing usage of /etc/security/access.conf. If one just hacks on /etc/pam.d/sshd then anyone can still login since you have not configured PAM access.conf!

By: Planet Malaysia Blog » Blog Archive » SSH Root Access Login Control

Planet Malaysia Blog » Blog Archive » SSH Root Access Login Control — Thu, 03 Aug 2006 05:08:09 +0000

[...] After read “OpenSSH Root user account restriction – revisited” article, I did a test on my testing server. [...]

By: Planet Malaysia

Planet Malaysia — Thu, 03 Aug 2006 04:53:34 +0000

I found a solution:
vi /etc/security/access.conf and added this 2 lines
- : root : ALL
+ : root : 10.10.10.52.
and save.

By: Planet Malaysia

Planet Malaysia — Thu, 03 Aug 2006 03:56:13 +0000

Weird! I added “account required pam_access.so” into “/etc/pam.d/sshd” and modify “/etc/security/access.conf” to
“-:ALL EXCEPT root:10.10.10.12″ but I still managed ssh login from other IP Address(e.g: 10.10.10.2, 10.10.10.3)