sshd_config question.
Darren Tucker
dtucker at zip.com.au
Mon Nov 27 12:06:54 EST 2006
Peter Stuge wrote:
> On Thu, Nov 09, 2006 at 12:22:33AM -0500, doug at safeport.com wrote:
>> I want to allow a single host root access via ssh. If the order of
>> processing DenyUsers, AllowUsers were reversed this cold be done in
>> a straight forward manner.
>>
>> My question, is would adding an Apache-like derective Order
>> Deny,Allow violate any standards or be a security problem?
>
> Couldn't you use the Match keyword (new in 4.4 IIRC) to do this in an
> even more straight forward manner? :)
You can't (yet), because PermitRootLogin isn't supported by Match (yet).
Anyway, Match is an attempt to solve "how do I make sshd do X on a per-Y
basis?" for most values of X and Y) and the order is significant (unlike
AllowUsers and friends, where the order is hardcoded). So once it's
supported this would simply be:
PermitRootLogin no
Match Host rootallowed.example.com
PermitRootLogin yes
Now if only the slacker responsible would finish the job (oh, wait,
that's me :-).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list