[SOLVED] Disable remote root access but allow local root access-- possible?

bskrakes · 02-28-2008, 01:28 PM

Hi there!

So I know how to disable remote root access but am I able to allow local root access (anything on the private internal network)? This way when I am on site at the server I don't have to "su - root" all the time.

Thanks!

Deleriux · 02-28-2008, 03:36 PM

If your using passwords to login you can do this by going to

/etc/security/access.conf

and putting a line such as:-

+ : root : 192.168.1.0/24 (<-- replace with local network here)
- : root : ALL

Then going to sshd and putting the "UsePAM" option to Yes. And set "PasswordAuthentication no".

If your using public keys - well - I dont know a way of doing it then since pam doesnt support pubkey authentication.

taylor_venable · 02-29-2008, 09:32 PM

Quote:

Originally Posted by bskrakes

This way when I am on site at the server I don't have to "su - root" all the time.

I'd recommend using sudo instead, because it (1) leaves an audit trail; (2) doesn't require the root password to use; (3) allows finer-grained control.

But if you want to stop root login over SSH set PermitRootLogin to "no" in your configuration.

bskrakes · 03-03-2008, 12:15 PM

I already have remote root login disabled.

I just need to configure root login for local access only.... It doesn't look like there is any real easy way to set that. I know in some programs you can control this by IP address (grant/deny ip address or by range).