Hi folks,
I want to restrict root access via ssh to certain (internal) hosts.
That is what pam_access.so is for, I thought, so I configured:
in /etc/security/access.conf I added (nothing in there before): + : root : 192.168.123.0/24 10.72.0.0/16 - : root : ALL
in /etc/pam.d/ssh I added at the end: account required pam_access.so
Then I restarted the ssh server.
Basically, this kinda works. Cron suddenly had no right to do it's job, so I had to add + : root : LOCAL to /etc/security/access.conf
But there still is no restriction on ssh logins by root - I can still login from anywhere.
Next I tried putting it in one line in /etc/security/access.conf: - : root : ALL EXCEPT LOCAL 192.168.123.0/24 10.72.0.0/16 That did not change anything, still I can log in via ssh.
I am stuck. According to documentation and the examples on the net this should be the right syntax. And, by the way, in my /etc/ssh/ sshd_config I have "UsePAM yes".
Any help or hint is appreciated.
Dirk
Hi,
I have it working with SSH here for a similar setup.
On Fri, Mar 20, 2009 at 09:49, Dirk H. Schulz dirk.schulz@kinzesberg.de wrote:
in /etc/pam.d/ssh I added at the end: account required pam_access.so
I believe you have to add this line *before* the "account include system-auth" line.
Other than that it seems right.
HTH, Filipe
-
Dirk H. Schulz -
Filipe Brandenburger