SLUG Mailing List Archives - Re: [SLUG] SSH and /etc/securetty

To: Steven Kerr <linux.com@xxxxxxxxxxxx>
Subject: Re: [SLUG] SSH and /etc/securetty
From: Del <del@xxxxxxxxxxxx>
Date: Mon Jul 9 14:21:02 2001
Cc: "slug@xxxxxxxxxxx" <slug@xxxxxxxxxxx>
Organization: Babel Com Australia

Steven Kerr wrote:
> 
> Is there any known way to disallow root from logging on when
> connecting via SSH2 ?
> 
> Standard telnet stops root from logging on by looking up the device in
> /etc/securetty.
> 
> Is there an equivalent for ssh ?

You can duplicate telnet's functionality (actually the functionality of
the login program used by telnet) by looking in /etc/pam.d/login and
seeing this line:

auth       required     /lib/security/pam_securetty.so

Put that at the top of your /etc/pam.d/sshd file and you're off and
running.

Personally, I use something like this, in my /etc/pam.d/sshd file:

auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers onerr=fail

(all on one line)

That means I can just put in a list of users in the /etc/sshusers
file.  Anyone in this file can ssh in.  Anyone not in that file
cannot.  Sort of like the /etc/ftpusers file but in reverse.  If
you don't want root to ssh in, then you can just omit root from
/etc/sshusers.

-- 
Del

References:
- [SLUG] SSH and /etc/securetty
  - From: Steven Kerr

Messages sorted by: [ date | thread ]
Prev by Date: RE: [SLUG] SSH and /etc/securetty
Next by Date: Re: [SLUG] MySql Super User
Previous by thread: RE: [SLUG] SSH and /etc/securetty
Next by thread: [SLUG] MySql Super User