SSH Root Access Login Control
After read “[tag]OpenSSH[/tag] Root user account restriction - revisited” article, I did a test on my testing server.
The pam_access [tag]PAM[/tag] module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non-networked logins.
By default rules for access management are taken from config file /etc/security/access.conf if you don’t specify another file.
Example: Grant root access for IP Address: 192.168.1.10 ONLY
1. vi /etc/pam.d/sshd and append
account required pam_access.so
2. vi /etc/security/access.conf and add as shown below
#Denied ALL
- : root : ALL
# ONLY allow IP 192.168.1.10
+ : root : 192.168.1.10.
Save both file and it’s worked! I can ssh root@planetmy.com from 192.168.1.10 but not other machine.
Note: as soon as you save changes to /etc/security/access.conf, they are applied by PAM configuration. So be careful when writing rules and please backup before do any changes on your file.
Check here for more understand about pam_access.
Possibly Related Posts:
- SSH Remote Access Authentication Tips
- Fedora 10 Artwork
- Set a Good Password Policy On SuSE Linux
- How To Check Which Port Is Listern or Open on Linux
- How To Force User Change Password At Next Login on Linux
