|
Allow root access via PAM
I need to disable root access. However, I need root access from a specific IP address.
I disabled root access as follows: # vim /etc/ssh/sshd_config Changed: PermitRootLogin yes to: PermitRootLogin no # /etc/rc.d/init.d/sshd restart The above disabled root access for good. Next, I used PAM to allow access from a specific IP # vim /etc/security/access.conf I appended the following lines: + : root : 10.0.0.254 + : root : 127.0.0.1 - : root : ALL Finally, # vim /etc/pam.d/sshd I appended the following entry account required pam_access.so With the above config, I'm still getting "permission denied" when I try to login via ssh from 10.0.0.254 What did I miss? |
I'm definately not an expert on PAM, but just a thought: If the "PermitRootLogin no" gets evaluated before PAM, it doesn't matter how you set up your PAM files. How about setting this option back to "yes", and control everything from PAM?
|
It is probably better to remote in as a user and then su - (su space dash) into root.
|
Quote:
It's not "probably better". It's ALWAYS better. And it could be even better to use sudo rather than "su -". |
| All times are GMT -5. The time now is 08:58 AM. |