Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: BOD on December 23, 2004, 12:51:50 AM

Title: SSH security
Post by: BOD on December 23, 2004, 12:51:50 AM

is it possible to only allow root to SSH insidee the network.

ie from external access root would be refused?

Title: SSH security
Post by: duncan on December 23, 2004, 01:15:24 AM

Yes

Title: SSH security
Post by: mbachmann on December 23, 2004, 08:28:41 AM

duncan means: check server manager - security - remote access.

Title: SSH security
Post by: BOD on December 25, 2004, 12:29:17 AM

ive tried all of those and it isnt what i want :-(

i want to be able to use SSH as root only inside my network. so if i used the root account outisde i would be refused

Title: SSH security
Post by: mrjhb3 on December 25, 2004, 03:57:30 AM

mbachmann is correct.  Under server manager/security/remote access, check the secure shell access.  You should have yours set to Allow access only from local networks.  I just tested this on a server I remotely manage.  I changed the settings to only allow local and I was denied ssh access to the box.

Now, if you have added any networks in the local access section, then those networks will still be able to ssh to the server.

GL,

JB

Title: SSH security
Post by: CharlieBrady on December 27, 2004, 03:17:26 AM

Quote from: "mrjhb3"

mbachmann is correct.

mbachmann is usually correct. On this occasion he is not.

Quote

Under server manager/security/remote access, check the secure shell access.  You should have yours set to Allow access only from local networks.  I just tested this on a server I remotely manage.  I changed the settings to only allow local and I was denied ssh access to the box.

IIUC, the original poster wants to allow ssh in as root only from the local network. Unfortunately, that's not an option that sshd supports. You'd need to run two instances of sshd, one configured to allow access to "root", and the other not. You'd need to direct connections from the local network to the first instance, and connections from elsewhere (i.e. from the Internet) to the second.

Title: SSH security
Post by: big_gie on December 28, 2004, 07:08:13 AM

The easiest wouldn't be disallow root connection, but let just one user execute the "su" command?

You could prevent root from connecting (is it possible?) and allow one of your user (you) to sudo to gain root access...

I'm using a contrib from here, can't remember the name. It let you control ssh user access...

Title: SSH security
Post by: CharlieBrady on December 28, 2004, 04:05:53 PM

Quote from: "big_gie"

The easiest wouldn't be disallow root connection, but let just one user execute the "su" command?

Not quite. The easiest would be to disallow root connection, but allow one user to execute the "su" command.

Quote

You could prevent root from connecting (is it possible?)

Yes it is, it's the default condition.

Quote

 and allow one of your user (you) to sudo to gain root access...

Yep, sudo is a good thing.

Title: SSH security
Post by: big_gie on December 28, 2004, 04:13:15 PM

Quote from: "CharlieBrady"

Quote from: "big_gie"

The easiest wouldn't be disallow root connection, but let just one user execute the "su" command?

Not quite. The easiest would be to disallow root connection, but allow one user to execute the "su" command.

That's what I meant  :-D