bugzilla-daemon at mindrot.org
2005-Mar-07 19:56 UTC
[Bug 995] PermitRootLogin by IP address block specification
http://bugzilla.mindrot.org/show_bug.cgi?id=995 Summary: PermitRootLogin by IP address block specification Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P3 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: dts at senie.com In looking at the options for PermitRootLogin, we find that none properly address our needs. We use root login with password between servers in a data center. All of these machines are firewalled. We prefer to leave root login permitted for various infrequent operations (file copies, etc.) but do not want to leave keys on the machine to allow such commands at will (concerns that if one machine is compromised, we would have all machines compromised). So, we'd like to suggest a mechanism that would permit us to specify one or more CIDR blocks as places from which root login is permitted. That way, we can connect into the data center, and then connect among machines as desired, with fewer issues. Please consider this an enhancement request. Were it not for the present pounding our machines take from people trying to break in by guessing passwords, we probably would not even be asking. As a precaution due to the attacks, we have disabled root login entirely, but this is interfering with some of our normal workflow. I'd be happy to answer any questions. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Mar-08 01:35 UTC
[Bug 995] PermitRootLogin by IP address block specification
http://bugzilla.mindrot.org/show_bug.cgi?id=995 ------- Additional Comments From dtucker at zip.com.au 2005-03-08 12:35 ------- Would something like this in sshd_config do what you want (assuming your cluster addresses are 192.168.0.0/24, untested): DenyUsers root@!192.168.0.* ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Mar-08 01:52 UTC
[Bug 995] PermitRootLogin by IP address block specification
http://bugzilla.mindrot.org/show_bug.cgi?id=995 ------- Additional Comments From dts at senie.com 2005-03-08 12:52 ------- Ha, thank you. The man page for the AllowUsers and DenyUsers does actually mention this, but it was not at all apparent without an example that a wildcarded IP address would do the trick. Guess this should become a suggestion for the documentation writers to add an example or two. It'd still be nice to permit based on CIDR, but what's there is sufficient for my immediate needs. Again, thanks for pointing this out. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Mar-08 02:18 UTC
[Bug 995] PermitRootLogin by IP address block specification
http://bugzilla.mindrot.org/show_bug.cgi?id=995 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From dtucker at zip.com.au 2005-03-08 13:18 ------- Supporting CIDR notation is an open enhancement request (see bug #976). Note that it may be possible to fool this by faking the reverse DNS resolution to look like an IP address (recent versions specifically check for this). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- more flexible AllowUsers/DenyUsers syntax
- [Bug 3193] New: Add separate section in sshd_config man page on Access Control
- PermitRootLogin and Tru64 SIA
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
- yum consumes machine (load average soars to 47)