Enable SSH for root over certain network connection of a server...is it possible?

cpolikowsky · March 31, 2009, 5:17pm

Hi - I have a SUSE Enterprise Linux Server V9 that I have an issue with. Policy says that root connectivity via ssh needs to be disabled. So, to do that, I made the following change in the sshd_config section:

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

The issue is that a utility that the vendor uses uses root to connect via ssh across the two servers in our configuration to collect logging and reporting information. when I disable root login in sshd_config, it breaks their utility. I asked why they would have it run as root and not as some privledged account...but I have not received an answer yet. In our configuration, we have 3 networks (2 are private networks and 1 is connectivity to the corporate network.) My question, is it possible to disable root Login via ssh for some network segments but not others?

geekosaur · March 31, 2009, 9:15pm

Only by running separate sshds on all network interfaces.

The better way to do this is AllowRootLogin without-password or AllowRootLogin forced-commands-only, then generate a public/private keypair for the vendor and restrict what they can do with the "command" option in ~root/.ssh/authorized_keys.

laurentv · March 31, 2009, 9:21pm

The best solution are usualy the simpler ones:
Have the vendor use a different id than root.
if not possible use ssh key as mentioned by geekosaur.
you can even restrict that key usage to the specific script that need to be run

-Laurent

geekosaur · March 31, 2009, 9:22pm

Oh, and another alternative is to give the vendor a non-root account and have them use sudo with restrictions in /etc/sudoers. The vendor might not be willing to play along with this, though.