comp.os.linux.networking

Ignoramus10392 writes:

>On 2008-04-07, Peter Ludikovsky wrote:
>> Ignoramus10392 wrote:
>>> On 2008-04-07, Peter Ludikovsky wrote:
>>>> Ignoramus10392 wrote:
>>>>> Given prevalence of SSH dictionary attacks, I want to fortify my
>>>>> systems a little.
>>>>>
>>>>> I have several local (inside the house) users who I do NOT want to be
>>>>> able to log on from outside via ssh.
>>>>>
>>>>> I would like to disable any remote SSH logins for these users.
>>>>>
>>>>> How can I do that?
>>>>>
>>>>> thanks
>>>> man 5 sshd_config
>>>> Look at the AllowUsers / DenyUsers entries
>>>
>>> Looks great to me. Thanks. I assume that if I say AllowUsers
>>> ...,root,... then, on conjunctions with PermitRootLogin
>>> without-password the passworded root login will not be allowed.
>>>
>>> I will try to verify everything.
>>>
>>> i
>>
>> Security-wise it would be better to say "PermitRootLogin no" and
>> "su"||"sudo" when needed. Also, setting "PasswordAuthentication no" and
>> using Public Key Authentication is a good idea.
>>
>> hth
>> /peter

>Thanks. It worked fine. I have permitrootlogin without-password.

>I do need from time to time to perform root tasks from scripts, for
>example restarting named after DNS zone files update. I cannot fully
>disable root login, though not letting passworded root logins is a
>good idea which I already follow.

You did not understand him. Disallow root logins. Then you can get in as
yourself and then su or sudo to root.
If you put yourself into the sudo list then you could do a passwordless
root login to yourself, and run the script which has a sudo in it to allow
root to do the things it needs to do. You can also make sure that sudo only
allows a few commands to be done in that way.



>Setting PasswordAuthentication to no seems like a very dangerous idea
>that can leave me stranded.

How?