> Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden <ogden@eng.utah.edu> >> wrote: >> > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 >> > wrote: >> > > Hi Jim, >> > > >> > > >> > But what if you have 1000 users? From my understanding you would >> > have to add all users to the AllowUsers list. >> >> Or simply add all of them to one of the groups specified in >> "AllowGroups". > > Yes I do understand how that would work. Yet me better explain what > we would like to do: We have over 9000 users and about 100 > different > groups. We would like to allow root ssh login to our machines but > only from one or two machines. We like to have root login to be > able to run remote commands to all our machines. So is there a way > to limit roots login from one or two machines? Hi Mark This is what I do: Disable root login via ssh entirely and set up 'sudo' and ssh-agents. You can make quite impressive sudo setups. Look at http://www.courtesan.com/sudo/ With this approach the root passwd are safe (both from ssh and from other admin/users) and you can exec any command on any server without the use of passwd if you use ssh-agents and every 'sudo' command is logged. You know who did this and that .. and when. Furthermore, add accounting on each server and add a central syslog(-ng) server (if not done allready) respectfully /per per@xterm.dk > > -Mark > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"