((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Ben Lindstrom
mouring at etoh.eviladmin.org
Sat Feb 15 10:08:19 EST 2003
On Fri, 14 Feb 2003, Dan Astoorian wrote:
> On Fri, 14 Feb 2003 16:48:30 EST, Ben Lindstrom writes:
> >
> > I think we are making this more complex than it really is. The only valid
> > rules should be as such
> >
> > If PermitRootLogin then
> > goto Accepted # Damn it, if I state root is allowed, it damn well
> > better be honored.
>
> I don't think I agree with this.
>
> I'd interpret "PermitRootLogin" in this case as being relevant to any
> user with uid=0, whereas AllowUsers and DenyUsers refer to specific
> entries in /etc/passwd.
>
IF you have multiple uid=0 users you are doing stupid things.
I refuse to buy into the "But I want multiple uid=0 sers". It is a load
of bullshit.
> "PermitRootLogin no" is presumably intended to enforce the policy "no
> superuser account may ever connect via ssh," for the same reason many
> systems are configured to restrict root logins to a (presumably
> physically secure) console; I see no justification to infer that
> "PermitRootLogin yes" should circumvent any additional constraints, such
> as DenyUsers.
>
There is only one 'superuser' account.. So it is acceptable and correct to
bypass.
> Do PermitRootLogin=without-password or PermitRootLogin=forced-commands-only
> present any further considerations?
>
Any PermitRootLogin setting other than 'no'.
> Currently, PermitRootLogin is handled independently anyway.
>
> [snip remainder of algorithm, which appears to be identical to the one I
> suggested :-) ]
>
> > I can see someone going.. "But this breaks DenyUser root". Well tought,
> > if you don't want root, use the right option.
>
> What if I want
> AllowUsers shutdown
>
> where "shutdown" is a uid=0 account with a shell of /etc/shutdown, but I
> don't want to permit root to log in via ssh?
>
See comment about about doing stupid things..
- Ben
More information about the openssh-unix-dev
mailing list