comp.os.linux.networking

On 2008-04-07, Unruh wrote:
> Ignoramus10392 writes:
>
>>On 2008-04-07, Peter Ludikovsky wrote:
>>> Ignoramus10392 wrote:
>>>> On 2008-04-07, Peter Ludikovsky wrote:
>>>>> Ignoramus10392 wrote:
>>>>>> Given prevalence of SSH dictionary attacks, I want to fortify my
>>>>>> systems a little.
>>>>>>
>>>>>> I have several local (inside the house) users who I do NOT want to be
>>>>>> able to log on from outside via ssh.
>>>>>>
>>>>>> I would like to disable any remote SSH logins for these users.
>>>>>>
>>>>>> How can I do that?
>>>>>>
>>>>>> thanks
>>>>> man 5 sshd_config
>>>>> Look at the AllowUsers / DenyUsers entries
>>>>
>>>> Looks great to me. Thanks. I assume that if I say AllowUsers
>>>> ...,root,... then, on conjunctions with PermitRootLogin
>>>> without-password the passworded root login will not be allowed.
>>>>
>>>> I will try to verify everything.
>>>>
>>>> i
>>>
>>> Security-wise it would be better to say "PermitRootLogin no" and
>>> "su"||"sudo" when needed. Also, setting "PasswordAuthentication no" and
>>> using Public Key Authentication is a good idea.
>>>
>>> hth
>>> /peter
>
>>Thanks. It worked fine. I have permitrootlogin without-password.
>
>>I do need from time to time to perform root tasks from scripts, for
>>example restarting named after DNS zone files update. I cannot fully
>>disable root login, though not letting passworded root logins is a
>>good idea which I already follow.
>
> You did not understand him. Disallow root logins. Then you can get in as
> yourself and then su or sudo to root.

automatically from a script?

> If you put yourself into the sudo list then you could do a
> passwordless root login to yourself, and run the script which has a
> sudo in it to allow root to do the things it needs to do. You can
> also make sure that sudo only allows a few commands to be done in
> that way.

I guess I was mistaken, but I thought that both sudo and su require me
to enter some kind of password (mine or root's). Is that wrong?

i