Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using ssh to restrict direct root login to be from a few systems

Status
Not open for further replies.
Blizard

Blizard

Technical User
Joined
Aug 2, 2002
Messages
14
Location
US
I have disabled direct root logins on my AIX servers, but that makes it impossible to set up rdist to distribute files, etc. from my management servers. I'd like to configure ssh to permit root login via ssh on my servers from just my two NIM servers.

In looking at sshd.conf man pages, it appears that I need to populate the AllowUsers/Groups and DenyUsers/Groups with entries covering all accounts in order to cover the bases. It seems like a gargantuan task. I have about 100 servers, and over 5000 ids on all the machines, so I need a better way to do it.

I suppose I could create groups 'sshloginok' for everyone who should be able to login and 'sshloginnot' for others, and put all ids into those. Then for root, I could list 'root@NIM1' and 'root@NIM2' in the AllowUsers on each of my systems. Seems like an awful lot of work...

Does anyone have any better ideas?

Robert Blizard
National Grid USA Service Co.
An expert is a man who has made all the mistakes which can be made, in a narrow field.
Neils Bohr (1885-1962)
 
Sort by date Sort by votes
i think it is better to leave the ssh enabled at first and then script the allow/deny list for all your users! try using dsh (distribted shell) for this!

Regards,
Khalid
 
Upvote 0 Downvote
Blizard,

You could run a second sshd instance on each machine, specifying a different config file with the -f argument.

In the second config, set a different port (eg 2222) and set AllowUsers to root only. Then set DenyUsers to root only in the standard config.

Then, on your NIM servers, add the following stanza to root's ~/.ssh/config file:

Code: 
*
Port 2222

Another options would be to disable password authentication and use private/public keys only, then generate keypairs for root on your NIM servers and add their public keys to root's ~/.ssh/authorized_keys on all the destination servers. You'd probably need to educate and migrate all of your users to key based authentication before you switch off password auths, though.

I don't have NIM in use here, but doesn't it have the option to use SSL? Would that mitigate this problem for you?

- Rod


IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

A
  • Locked
  • Question Question
Adding Existing LUN to New LPAR AIX
Replies
0
Views
833
Alvinghost
A
E
  • Locked
  • Question Question
AIX Power5 on 5.3- On varyonvg error "cannot be varied on because no good copies of the descriptor area"
Replies
1
Views
867
JenLM
J
sheilar32
  • Locked
  • Question Question
Migrating from AIX to anything else
Replies
0
Views
729
sheilar32
sheilar32
E
  • Locked
  • Question Question
What are reservations and how do you set them?
Replies
0
Views
766
emze
E
yf
  • Locked
  • Question Question
AIX 7.2 strange behavior.
Replies
0
Views
571
yf
yf

Part and Inventory Search

Sponsor

Back
Top