# Let root ssh in from local net, but not external [solved]

## Akkara

Hi!  I'd like to configure sshd to allow root access from machines on the local net, but not from outside.

My sshd is currently configured to use rsa authentication (that seems to be the default?).  I'd like to set PermitRootLogin to yes, but have it work only for local machines.

Or is rsa authentication secure enough that there's no need to worry? (I use passphrases.)  What if I didn't use passphrases?

Anything else that is recommended in the config below?  I'm somewhat of a networking newbie and am seeking best-practices advice even beyond the immediate question being asked.

grep '^[^#]' /etc/ssh/sshd_config

```
Protocol 2

PasswordAuthentication no

UsePAM no

X11Forwarding yes

Subsystem       sftp    /usr/lib64/misc/sftp-server
```

(X11 forwarding is enabled because I like to use meld to do the etc-updates with, but I'm willing to entertain other ideas here as well.)

Many thanks!Last edited by Akkara on Sun Jan 13, 2008 11:15 am; edited 2 times in total

----------

## 8086

I'm thinking you could use the AllowUsers directive. Something of the sort:

```

AllowUsers root@whatever_host_you_want_here user1 user2 .. userN

```

*However*. The problem is PermitRootLogin. If you set it to "no", it might disallow all root access. If you set it to "yes", it might allow root access from anywhere. It basically depends on who overrides who.

----------

## MostAwesomeDude

 *8086 wrote:*   

> *However*. The problem is PermitRootLogin. If you set it to "no", it might disallow all root access. If you set it to "yes", it might allow root access from anywhere. It basically depends on who overrides who.

 

I believe that PermitRootLogin simply prohibits root from logging in ("su -") locally. It has nothing to do with remote users.

RSA keys are currently impenetrable. (If you believe rumors, the CIA can break them, but otherwise, they're secure.) You should be able to rely on them.

It is bad practice to ever log in as root over SSH; have you considered the following?

```
local-box # ssh unprivileged@remote-box

Enter passphrase:

unprivileged@remote-box $ sudo su -

[sudo] Password for unprivileged:

remote-box #
```

----------

## tarpman

 *MostAwesomeDude wrote:*   

> I believe that PermitRootLogin simply prohibits root from logging in ("su -") locally. It has nothing to do with remote users.

 

Given that the PermitRootLogin directive appears in the configuration for the secure remote shell daemon sshd(8) (and not in, e.g., the local system's PAM configuration), would you like to revise that statement at all?

Also, logging in as root and su(1) are two rather different things.

----------

## 8086

<troll>

OMG what's with the Ubuntusisms ? "sudo su -" ? Just issue "su -" dammit.

----------

## Akkara

Thanks for the replies.

PermitRootLogin no along with AllowUsers root doesn't let root in.

PermitRootLogin yes along with AllowUsers root@host1 lets root in, from host1 only: exactly what I was looking for.  Also, if my brief testing is any indication, it seems that wildcards work: root@*.my.domain.com.

But now it doesn't let any other users in unless they too are listed with AllowUsers.  It seems that listing a user without mentioning a host lets them in from anywhere, which is good.  (And the positive need to list indirectly limits exposure from any accidental accounts left around).

Thanks!!

Oh, one more thing: Every time I restart sshd to test a new configuration, I'm getting "sshd[1859]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use." in /var/log/messages.  sshd seems to be working fine however.  I tried stopping it and checking for extra sshd processes and none were found.  nmap doesn't show anything active on 22 with sshd stopped.  Should I be concerned about this message?

 *MostAwesomeDude wrote:*   

> It is bad practice to ever log in as root over SSH; have you considered the following?
> 
> ```
> local-box # ssh unprivileged@remote-box
> 
> ...

 

I had been using that method.  It is just when I'm doing a lot of things between machines it is much easier to rsync files from one to the other as root, than to for example, tar them up on one, transfer as a non-root user, then untar on the other.

----------

## 8086

`ps` (or the like) and nmap wouldn't have given you what netstat might have given you. It might take a bit for the port to be reusable after SSHD is terminated, I wouldn't worry about the messages.

----------

## Hu

It has been a long time, but I think I once saw the sshd printing the message about port in use because of the way that Linux handles IPv4 / IPv6 listening sockets.  If I understood it correctly, the problem is that sshd bound IN6ADDR_ANY:22 first, then tried to bind INADDR_ANY:22.  However, Linux allowed the IN6ADDR_ANY:22 to cover IPv4, so the IPv4 listen failed.  I specified an explicit Listen directive and have not seen the message again.

Also, with regard to remote root logins: have you looked at the PermitRootLogin without-password option?  According to man sshd_config:

```
             If this option is set to ``without-password'', password authenti-

             cation is disabled for root.

```

That is, root can log in using RSA keys, but not using root's account password.  This provides a small bit of extra protection, in case the AllowUsers line ever gets removed or modified in an undesirable way.

RSA authentication without passphrases is secure if and only if you can absolutely guarantee that no malicious user can obtain read access to the private key file.  This requires adequate physical security, and strongly suggests that the keys be stored on a "hardened" system that would minimize the access of an intruder who enters over the network.  For a home user, the data is rarely valuable enough to thieves that you need to worry about physical security.  An intruder is more likely to walk off with the computer than to break in just to steal the key and then leave the hardware behind.  For a business, that assumption may not hold.

----------

## swimmer

Thx for the tip with AllowUsers - I like it and will use it  :Wink: 

Greetz

swimmer

----------

## MostAwesomeDude

 *tarpman wrote:*   

>  *MostAwesomeDude wrote:*   I believe that PermitRootLogin simply prohibits root from logging in ("su -") locally. It has nothing to do with remote users. 
> 
> Given that the PermitRootLogin directive appears in the configuration for the secure remote shell daemon sshd( (and not in, e.g., the local system's PAM configuration), would you like to revise that statement at all?
> 
> Also, logging in as root and su(1) are two rather different things.

 

I was talking as if "local" was where sshd was running. Clearly, I was not very awake at that point, lawl.

 *8086 wrote:*   

> <troll>
> 
> OMG what's with the Ubuntusisms ? "sudo su -" ? Just issue "su -" dammit.

 

Something tells me you've never been a guest on a public server, or a server with a "wheel" group. (Ironically, Ubuntu wouldn't require "sudo", since there is not a "wheel" group on Ubuntu.)

----------

