On 11/20/04 01:29:09 -0500, Francisco wrote: > On Thu, 7 Oct 2004, Mark Ogden wrote: > > Coming.. way late to the discussion.. > > >groups. We would like to allow root ssh login to our machines but only > >from one or two machines. > > For starters I don't think it is a good idea to allow remote root logins > There are several ways to do what you want. > A few options > > If you only need the root users to login, set the firewall to only allow > ssh from specific IPs. Set a user that can ssh and either configure sudo > or allow user to su. > > >We like to have root login to be able to run > >remote commands to all our machines. > > That sounds like something you could do with a regular user + sudo. > > >So is there a way to limit roots > >login from one or two machines? > > Yet another approach, you can turn on to allow connections with keys > only. No password authentication. Then enable root.. or better another ID > which can su or sudo the commands you need. Look at the 'AllowUsers' directive in sshd_config. You can use something to the like of 'AllowUsers root@10.0.0.1 root@10.0.0.1 etc'. You can also use wildcards in the fields. -- Michael Nicks IOPort Technologies, LLC nicksm@ioport.com PGP/GNUPG key: 1024D/0F11CED3 1(913)-378-6516 Keyfile available at pgp.mit.edu. (Fingerprint: 4F9A 25F8 5DC7 4BA0 6288 91E3 C7CD ADA4 0F11 CED3) _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"