Hi,
all I wanted was to force SSHd to accept root logins only from localhost.
More detailed description:
We have SSH keys stored on smart cards and we use them to login as root
to our servers. Now we use PermitRoot without-password, which enables us
to control which smartcard can log on as root via
/root/.ssh/authorized_keys. (I am planning to move this to LDAP but it
is another story). I was just trying to secure it a little bit more as
user would need to login as nonroot user and then do ssh root@localhost.
I thought that it will be like 5 minutes to setup but I've run into
described SSHD strange behavior regarding AllowedUsers.
I do not want sudo or su as they can not use SSH key infrastructure and
agent forwarding. But for clarification I can say that I am looking for
su which could authenticate me with my SSH key instead of password.
I know that root logging with key on smartcard via network is secure
enough (and sufficient enough for us). I also know that I could use
pam_wheel, but what I am asking is why does SSHd behave so strangely.
Maybe there is some reason and I just do not see it...
Radek
Johan Karlström napsal(a):
Hi Radek,
You should use sudo command/functionality.
If that doesn't solve what you asking about then please explain more
about what you try to achieve.
Regards
Hi,
I need to login locally via ssh not by console. I want to
incorporate SSH keys and agent forwaring to verify who can logon as root.
Radek
Christian Grunfeld napsal(a):
Hi,
for root user is quite easy. Just put
PermitRootLogin No
in sshd_config
This only allow you to login thru local console
Christian
2007/9/2, Radek Hladik <radek@eadresa.cz>:
Hi,
I am a little bit confused about patterns behavior when used in
AllowedUsers directive. I am trying to limit root logins to localhost.
First I tried
AllowedUsers root@localhost !root
which should enable root from localhost and all nonroot users from
anywhere. However the username part is matched with match_pattern
function and this function does not take ! into account (see func
match_user in match.c).
Secondly I tried
DenyUsers root@!localhost
which should deny root when logging from anywhere but localhost.
Function match_host_and_ip does call match_hostname which calls
match_pattern_list. But if match_hostname function returns -1 which
means "match found and negation was requested", match_host_and_ip
return
false as there would be no match. As fact at least one _positive_ match
is required to return true:
/* negative ipaddr match */
if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
return 0;
/* negative hostname match */
if ((mhost = match_hostname(host, patterns, strlen(patterns))) ==
-1)
return 0;
/* no match at all */
if (mhost == 0 && mip == 0)
return 0;
return 1;
Is there any reason for such a behavior? And is there any other way how
to limit root to localhost in sshd? I know I can limit it i.e. via
pam_access but I would expect sshd to be able to do it.
Radek Hladik
P.S. Version of OpenSSH is openssh-4.5p1
Mvh
Johan Karlström - VD NetRoad AB
0705-423 470
