LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 02-16-2009, 05:54 PM   #1
fw12
Member
 
Registered: Mar 2006
Distribution: Fedora core, Ubuntu
Posts: 168

Rep: Reputation: 30
Allow root access via PAM


I need to disable root access. However, I need root access from a specific IP address.

I disabled root access as follows:

# vim /etc/ssh/sshd_config
Changed:
PermitRootLogin yes
to:
PermitRootLogin no

# /etc/rc.d/init.d/sshd restart

The above disabled root access for good.
Next, I used PAM to allow access from a specific IP

# vim /etc/security/access.conf

I appended the following lines:

+ : root : 10.0.0.254
+ : root : 127.0.0.1
- : root : ALL

Finally,

# vim /etc/pam.d/sshd

I appended the following entry

account required pam_access.so

With the above config, I'm still getting "permission denied" when I try to login via ssh from 10.0.0.254

What did I miss?
 
Old 02-17-2009, 01:55 AM   #2
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Rep: Reputation: 40
I'm definately not an expert on PAM, but just a thought: If the "PermitRootLogin no" gets evaluated before PAM, it doesn't matter how you set up your PAM files. How about setting this option back to "yes", and control everything from PAM?
 
Old 02-17-2009, 02:32 AM   #3
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,362

Rep: Reputation: 171Reputation: 171
It is probably better to remote in as a user and then su - (su space dash) into root.
 
Old 02-17-2009, 08:13 AM   #4
pcunix
Member
 
Registered: Dec 2004
Location: MA
Distribution: Various
Posts: 149

Rep: Reputation: 23
Quote:
Originally Posted by lazlow View Post
It is probably better to remote in as a user and then su - (su space dash) into root.
No, you are wrong.

It's not "probably better". It's ALWAYS better.

And it could be even better to use sudo rather than "su -".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Disable remote root access but allow local root access-- possible? bskrakes Linux - Security 3 03-03-2008 12:15 PM
PAM -- Allowing only certain users access DennisC31 Linux - Security 1 01-05-2008 06:26 PM
SAMBA shares allow access based on PAM zQUEz Linux - Newbie 2 06-26-2007 05:08 AM
deny ssh access with pam RobertCraven Linux - Security 5 05-12-2006 03:55 AM
how can I limit time access with pam hichem Linux - Security 4 11-17-2005 12:58 AM


All times are GMT -5. The time now is 11:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration