[TriLUG] sshd question

paul ppeeler at gmail.com
Wed Mar 8 22:20:36 EST 2006


On 3/8/06, Brian Henning <brian at strutmasters.com> wrote:
> Can you specify an alternate port?  Run a separate instance of SSHD on a
> nonstandard port, configured to allow root login and firewalled (or
> tcpwrappered) to only allow connections from the one machine, maybe?
>
> Would take some trickery with startup scripts, but I bet it could be
> done, if esxranger will let you specify the port.
>
> ~Brian
>
>
> Blackburn, Marvin wrote:
> > its esxranger, the ability to log on as an alternate user and su to root
> > doesn't work -- bug.
> > so I need to allow root from a to b but only from a to b
> >
> >
> >>-----Original Message-----
> >>From: trilug-bounces at trilug.org
> >>[mailto:trilug-bounces at trilug.org] On Behalf Of Rick DeNatale
> >>Sent: Wednesday, March 08, 2006 5:04 PM
> >>To: Triangle Linux Users Group discussion list
> >>Subject: Re: [TriLUG] sshd question
> >>
> >>On 3/8/06, Blackburn, Marvin <mblackburn at glenraven.com> wrote:
> >>
> >>>Unfortunately, this wont work -- it has to be root
> >>
> >>Does it have to use password authorization?  Another option is to use
> >>key pairs.
> >>
> >>You can also force the command that gets executed by putting the
> >>command into the .ssh/authorized_keys file in root's home directory.
> >>It's a little tricky but you can execute a script which "wraps" the
> >>command being executed by the ssh client.
> >>
> >>But why does it HAVE to be root, is the user not configurable?  What's
> >>the application?
> >>
> >>--
> >>Rick DeNatale
> >>
> >>Visit the Project Mercury Wiki Site
> >>http://www.mercuryspacecraft.com/
> >>--
> >>TriLUG mailing list        :
> >>http://www.trilug.org/mailman/listinfo/trilug
> >>TriLUG Organizational FAQ  : http://trilug.org/faq/
> >>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>
> >>
> >
> >
>
> --
> ----------------
> Brian A. Henning
> strutmasters.com
> 336.597.2397x238
> ----------------
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>

Actually, this is rather simple if you can use ssh keys. Generate a
key on box A. Put the public key in the authorized_keys file in .ssh
on box B. Then change the line in sshd_config to:

PermitRootLogin without-password

That option allows root logins via ssh with a key. You will not be
able to log in over ssh as root with a password, though it will not
inhibit the ability to ssh in as a regular user with a password and su
to root.

Hope that is helpful.



More information about the TriLUG mailing list