SSH Security
Scot L. Harris
webid at cfl.rr.com
Sun Dec 11 00:13:29 UTC 2005
On Sat, 2005-12-10 at 16:35, wwp wrote:
> Hello Scot,
>
>
> On Tue, 06 Dec 2005 21:15:04 -0500 "Scot L. Harris" <webid at cfl.rr.com> wrote:
> > Key based authentication is the right way to go. You should disable
> > root ssh access completely.
>
> BTW, is there a way to make ssh allowing root access from a specific
> interface (local for instance) and denying it from other ones (external)?
I believe that can be done. However I would not recommend that. It is
always better to have someone login as themselves then su - or use sudo
to get elevated privileges. You then have an audit trail of who used
root plus they would have to break a standard user account then the root
account.
If you go that route it just complicates your setup and if an error is
made you could leave root open on an external interface. Much simpler
and safer to deny root access completely.
More information about the users
mailing list