Linux – Restrict root ssh from all but one IP/hostname

linuxpamssh

I'm wanting to restrict root ssh login coming from all but a single IP address.

I was under the impression that I just had to add this to /etc/pam.d/sshd:

account required pam_access.so

and this to /etc/security/access.conf:

-:root:ALL EXCEPT IPADDRESS

but that doesn't seem to be working.

Best Answer

In /etc/ssh/sshd_config

# Disable Root login
PermitRootLogin no
#
# [ . . . ]
#
# At the end of the file, add:
#
# Allow Root Login via Key from Admin Bastion
Match Address 10.9.8.7
        PermitRootLogin without-password

Related Solutions

SSH – Can’t Login Using SSH as Root

Turns out the /etc/init.d/sshd script had no $OPTIONS variable, which would be the reference to the config file. Therefore sshd was starting without any config file at all, and hence, defaulting to "PermitRoodLogin no".

I resolved this by adding the following line near the start of /etc/init.d/sshd:

OPTIONS="-f /etc/ssh/sshd_config"

Hope this helps somebody else.

Linux – How to limit root to being able to only login on the console via /etc/security/access.conf

When someone logs in, the file access.conf is scanned for the first entry that matches... User root should be denied to get access from all other sources.

- : root : ALL

Quoted from the manpage

In my opinion that's just wrong. root should definitely be allowed to log in when a user has physical access to the box.

I do count IPMI as physical access, if you don't want that unplug the cable, it's the only way to be sure that you do have to stand in front of the box to have the equivalent of physical access. In some environments I even have the tendency to have a root terminal running without the need to log in -- given that proper access control to the facility is in place.

Why: sudo might fail, and giving the root password to a bunch of people so that they can login just generates problems, you'd have to change the password quite often in larger teams since there'll always be fluctuation. With an "open" root terminal there are no password worries -- all under the assumption that proper access control is there and that IPMI access is secured as well with personalized accounts

(No go downvote me for that, I can imagine that there are a ton of reasons against that but I find that to be a better -- more practical -- solution than to have a password policy for root which will sooner or later be forgotten. And if you then do need root access you have to jump in squares to get the "Password of the day")

Best Answer

Related Solutions

SSH – Can’t Login Using SSH as Root

Linux – How to limit root to being able to only login on the console via /etc/security/access.conf

Related Topic