SSH Security

wwp subscript at
Sun Dec 11 12:52:44 UTC 2005

Hello Scot,

On Sat, 10 Dec 2005 19:13:29 -0500 "Scot L. Harris" <webid at> wrote:

> On Sat, 2005-12-10 at 16:35, wwp wrote:
> > Hello Scot,
> > 
> > 
> > On Tue, 06 Dec 2005 21:15:04 -0500 "Scot L. Harris" <webid at>
> > wrote:
> > > Key based authentication is the right way to go.  You should disable
> > > root ssh access completely.
> > 
> > BTW, is there a way to make ssh allowing root access from a specific
> > interface (local for instance) and denying it from other ones (external)?
> I believe that can be done.  However I would not recommend that.  It is
> always better to have someone login as themselves then su - or use sudo
> to get elevated privileges.  You then have an audit trail of who used
> root plus they would have to break a standard user account then the root
> account.

I well understand why root access (even local or from trusted machines)
should be avoided. The question is not why or how it should be avoided, but
how to filter out according to the ssh-root login originator, to follow my
needs.. In fact I run rsync backups that need to login ssh as root on my
server (otherwise I would loose permissions/ownsership).. hmm maybe I should
run rsyncd on the backup server?

> If you go that route it just complicates your setup and if an error is
> made you could leave root open on an external interface.  Much simpler
> and safer to deny root access completely.

I'm not afraid of complicating my setup a bit, if it's still reasonable :-)
(IOW if I can manage it), anyway I don't think that system administration can
be kept trivial (I'm exaggerating a bit of course).



More information about the fedora-list mailing list