Thanks for replying guys but: The problem I have is this: I cannot turn off telnetd and rlogind for all users in one day - they use rlogin=false for each user ie: chuser rlogin=false root Unfortunetely ssh does not allow access when this is set. I would like to use ssh at first just for root, and then for other users after testing etc. permitrootlogin is a ssh concept, not applicable to telnet and rlogin - I am trying to allow root access only via ssh and public keys of authorised users, with a tracking mechanism via ssh logging of which public key had granted access. Pekka Savola understands exactly what I am trying to acheive when he wrote: This is an attempt to solve solve the account management problem. For example, consider a company with 50 servers which are managed by 5-10 admins. When the admins switch jobs, you always have to make sure their accounts are deleted, new ones added etc. Also, it's a pain for the admins to set up passwords for each, and change them in each, etc. Real pain. Some custom password/user management tools make this a bit easier, but not much. If there are good, reliable systems for this, I sure would like to know of them. There are obvious advantages not having to know (unless something dire happens) the root password yet being able to do work as root in multi-admin circumstances. How SSH makes this easier is that you only have to sync the authorized_keys2 database to root account's .ssh/ every time new admin comes in/leaves the house. This can even be automatized rather easily. A more modular hack would be using authorized_keys2 _directory_, and the keys in there would all be counted as authorized. Thus only one file copy/removal would do the job, no need for sync; this would be profitable in environments where all admins don't have access to all systems. --