Hello Scot, On Sat, 10 Dec 2005 19:13:29 -0500 "Scot L. Harris" <webid@xxxxxxxxxx> wrote: > On Sat, 2005-12-10 at 16:35, wwp wrote: > > Hello Scot, > > > > > > On Tue, 06 Dec 2005 21:15:04 -0500 "Scot L. Harris" <webid@xxxxxxxxxx> > > wrote: > > > > Key based authentication is the right way to go. You should disable > > > root ssh access completely. > > > > BTW, is there a way to make ssh allowing root access from a specific > > interface (local for instance) and denying it from other ones (external)? > > I believe that can be done. However I would not recommend that. It is > always better to have someone login as themselves then su - or use sudo > to get elevated privileges. You then have an audit trail of who used > root plus they would have to break a standard user account then the root > account. I well understand why root access (even local or from trusted machines) should be avoided. The question is not why or how it should be avoided, but how to filter out according to the ssh-root login originator, to follow my needs.. In fact I run rsync backups that need to login ssh as root on my server (otherwise I would loose permissions/ownsership).. hmm maybe I should run rsyncd on the backup server? > If you go that route it just complicates your setup and if an error is > made you could leave root open on an external interface. Much simpler > and safer to deny root access completely. I'm not afraid of complicating my setup a bit, if it's still reasonable :-) (IOW if I can manage it), anyway I don't think that system administration can be kept trivial (I'm exaggerating a bit of course). Regards, -- wwp
