[mdlug] Remote SSH commands
Mark Montague
markmont at umich.edu
Wed Jan 12 01:04:51 EST 2011
On January 11, 2011 23:53 , "Michael ORourke"
<mrorourke at earthlink.net> wrote:
> Anyone out there using the "forced-commands-only" option under OpenSSH?
>
> From what I have read, it sounds like it's a pain to administer because it
> is based on key-pairs. I'm just curious if other admins are using that
> option and restricting remote root logins. It's extremely handy to run
> commands from a central server as root, but breaks if you set
> "PermitRootLogin no" in the sshd_config.
It may or may not be useful in your situation, but consider having two
instances of the SSH daemon, with two completely separate sets of
configuration files.
In your normal instance of sshd, listening on port 22, have
"PermitRootLogin no" with all of your standard options that you
currently have.
Then set up a second instance of sshd that listens on another port and
ONLY permits root logins (no user logins), only via public key
authentication (disable password authentication), and only from the IP
addresses on your management network. This will give you a lot more
security and flexibility for running commands from your central server
without affecting users who use ssh.
--
Mark Montague
mark at catseye.org
More information about the mdlug
mailing list