[Bug 995] PermitRootLogin by IP address block specification

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Mar 8 06:56:46 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=995

           Summary: PermitRootLogin by IP address block specification
           Product: Portable OpenSSH
           Version: 3.6.1p2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: dts at senie.com


In looking at the options for PermitRootLogin, we find that none properly
address our needs. We use root login with password between servers in a data
center. All of these machines are firewalled. We prefer to leave root login
permitted for various infrequent operations (file copies, etc.) but do not want
to leave keys on the machine to allow such commands at will (concerns that if
one machine is compromised, we would have all machines compromised).

So, we'd like to suggest a mechanism that would permit us to specify one or more
CIDR blocks as places from which root login is permitted. That way, we can
connect into the data center, and then connect among machines as desired, with
fewer issues.

Please consider this an enhancement request. Were it not for the present
pounding our machines take from people trying to break in by guessing passwords,
we probably would not even be asking. As a precaution due to the attacks, we
have disabled root login entirely, but this is interfering with some of our
normal workflow.

I'd be happy to answer any questions.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list