On Thu, 2008-12-04 at 10:04 +0100, Damian Wojslaw wrote: > Iain MacDonnell pisze: > > I don't think roles can login [via ssh]. I don't have an osol system > > at hand to test... > > > > ~Iain > > Roles cannot log in. Only real users can. Besides asking yourself a > question, why would you ever need to allow remote root logins, you need > to change root to a normal user and give a password. > >
Finally some sense talking here ^^^^^^ Assuming remote box is non OSOL: 1) Config Mortal Account as necessary to allow root access a) su b) or even better sudo to provide more granular control 2) Further restrict who can connect via SSH a) create sshusers group and add users as appropriate b) Add to sshd_config: AllowGroups sshusers A few other options that you may want consider. This off top of my head, check man sshd_config for more. i) Protocol 2 (anyone still using 1 should upgrade) ii) LogLevel VERBOSE iii) PermitRootLogin no iv) MaxStartups 5:50:10 v) Banner /etc/sshbanner /etc/sshbanner blah, blah, blah... whatever you want to say to connect attempts to port 22, e.g.: "Warning: If you do not have an account on this server close the connection NOW! All access will be logged. Have a nice day." vi) Consider disallowing password based logins (after uploading authorized_keys2 file). 3) Restart sshd 4) login as mortal user 5) "super user up" Like I said, this just off the top of my head. I don't tweak sshd_config options on daily basis so caveat emptor and RTFM. Have fun:) -- Ken Gunderson <[EMAIL PROTECTED]> _______________________________________________ sysadmin-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
