Hi, for root user is quite easy. Just put PermitRootLogin No
in sshd_config This only allow you to login thru local console Christian 2007/9/2, Radek Hladik <[EMAIL PROTECTED]>: > Hi, > I am a little bit confused about patterns behavior when used in > AllowedUsers directive. I am trying to limit root logins to localhost. > First I tried > AllowedUsers [EMAIL PROTECTED] !root > which should enable root from localhost and all nonroot users from > anywhere. However the username part is matched with match_pattern > function and this function does not take ! into account (see func > match_user in match.c). > Secondly I tried > DenyUsers [EMAIL PROTECTED] > which should deny root when logging from anywhere but localhost. > Function match_host_and_ip does call match_hostname which calls > match_pattern_list. But if match_hostname function returns -1 which > means "match found and negation was requested", match_host_and_ip return > false as there would be no match. As fact at least one _positive_ match > is required to return true: > > /* negative ipaddr match */ > if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) > return 0; > /* negative hostname match */ > if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) > return 0; > /* no match at all */ > if (mhost == 0 && mip == 0) > return 0; > return 1; > > Is there any reason for such a behavior? And is there any other way how > to limit root to localhost in sshd? I know I can limit it i.e. via > pam_access but I would expect sshd to be able to do it. > > > Radek Hladik > > > P.S. Version of OpenSSH is openssh-4.5p1 >
