Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] SSH and /etc/securetty


Steven Kerr wrote:
> 
> Is there any known way to disallow root from logging on when
> connecting via SSH2 ?
> 
> Standard telnet stops root from logging on by looking up the device in
> /etc/securetty.
> 
> Is there an equivalent for ssh ?

You can duplicate telnet's functionality (actually the functionality of
the login program used by telnet) by looking in /etc/pam.d/login and
seeing this line:

auth       required     /lib/security/pam_securetty.so

Put that at the top of your /etc/pam.d/sshd file and you're off and
running.

Personally, I use something like this, in my /etc/pam.d/sshd file:

auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers onerr=fail

(all on one line)

That means I can just put in a list of users in the /etc/sshusers
file.  Anyone in this file can ssh in.  Anyone not in that file
cannot.  Sort of like the /etc/ftpusers file but in reverse.  If
you don't want root to ssh in, then you can just omit root from
/etc/sshusers.

-- 
Del