permitrootlogin=no does NOT help

mark.pitt at ch.ibm.com mark.pitt at ch.ibm.com
Mon May 21 22:03:20 EST 2001




Thanks for replying guys but:

The problem I have is this:

I cannot turn off telnetd and rlogind for all users in one day - they use
rlogin=false for each user ie:

chuser rlogin=false root

Unfortunetely ssh does not allow access when this is set.

I would like to use ssh at first just for root, and then for other users
after testing etc.  permitrootlogin is a ssh concept, not applicable to
telnet and rlogin  - I am trying to allow root access only via ssh and
public keys of authorised users, with a tracking mechanism via ssh logging
of which public key had granted access.

Pekka Savola understands exactly what I am trying to acheive when he wrote:

This is an attempt to solve solve the account management problem.
For example, consider a company with 50 servers which are managed by 5-10
admins.  When the admins switch jobs, you always have to make sure their
accounts are deleted, new ones added etc.  Also, it's a pain for the
admins to set up passwords for each, and change them in each, etc.

Real pain.  Some custom password/user management tools make this a bit
easier, but not much.  If there are good, reliable systems for this, I
sure would like to know of them.

There are obvious advantages not having to know (unless something dire
happens) the root password yet being able to do work as root in
multi-admin circumstances.

How SSH makes this easier is that you only have to sync the
authorized_keys2 database to root account's .ssh/ every time new admin
comes in/leaves the house.  This can even be automatized rather easily.  A
more modular hack would be using authorized_keys2 _directory_, and the
keys in there would all be counted as authorized.  Thus only one file
copy/removal would do the job, no need for sync; this would be profitable
in environments where all admins don't have access to all systems.

--







More information about the openssh-unix-dev mailing list