Hi,
I need to login locally via ssh not by console. I want to incorporate
SSH keys and agent forwaring to verify who can logon as root.
Radek
Christian Grunfeld napsal(a):
Hi,
for root user is quite easy. Just put
PermitRootLogin No
in sshd_config
This only allow you to login thru local console
Christian
2007/9/2, Radek Hladik <radek@eadresa.cz>:
Hi,
I am a little bit confused about patterns behavior when used in
AllowedUsers directive. I am trying to limit root logins to localhost.
First I tried
AllowedUsers root@localhost !root
which should enable root from localhost and all nonroot users from
anywhere. However the username part is matched with match_pattern
function and this function does not take ! into account (see func
match_user in match.c).
Secondly I tried
DenyUsers root@!localhost
which should deny root when logging from anywhere but localhost.
Function match_host_and_ip does call match_hostname which calls
match_pattern_list. But if match_hostname function returns -1 which
means "match found and negation was requested", match_host_and_ip return
false as there would be no match. As fact at least one _positive_ match
is required to return true:
/* negative ipaddr match */
if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
return 0;
/* negative hostname match */
if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
return 0;
/* no match at all */
if (mhost == 0 && mip == 0)
return 0;
return 1;
Is there any reason for such a behavior? And is there any other way how
to limit root to localhost in sshd? I know I can limit it i.e. via
pam_access but I would expect sshd to be able to do it.
Radek Hladik
P.S. Version of OpenSSH is openssh-4.5p1
