1

I need to set PermitRootLogin no in Solaris 10 server, while still allowing two "peer" servers to have root access via ssh.

How can I achieve this?

cas
  • 1
  • 7
  • 119
  • 185
Matthew Lin
  • 61
  • 1
  • 4

2 Answers2

5

Adding the below lines in the end of /etc/ssh/sshd_config is enough for this requirement:

Match Host unit1-priv0
   PermitRootLogin yes

Match Host unit0-priv0
   PermitRootLogin yes
cas
  • 1
  • 7
  • 119
  • 185
Matthew Lin
  • 61
  • 1
  • 4
-1

Use public/private key.

It is described for many times in internet so I don't think it is userful to repeate it in detail again.

A briefly summary what to do:

  • enable root login on server
  • on client side create ssh public/private keys (ssh-keygen)
  • copy public key to server (ssh-copy-id root@your_server)
  • repeat for second client
  • disable root-login on server

Now only these two clients and the users of the commands above have root access to the server and additionally no password is required anymore.

Maybe this is an good entry point to start over (steps #1 and #2)

ChristophS
  • 565
  • 5
  • 13
  • 1
    This is actually really bad advice and does not answer the question. He clearly stated that he need to set PermitRootLogin no. And havig root enable with or without keys is still considered as not best practice. – BitsOfNix Jul 21 '17 at 20:37
  • BitsOfNix: correct me if public/private key login is NOT possible while `PermitRootLogin no` is set. In this case my answer does not work. Otherwise the question clearly says that two peers still need root login via ssh, even if `PermitRootLogin no` is set. In this case this **is** an answer to the question and the use of keys is no bad advice/bad practice. I can't track your arguments/downvotes. And I would appreciate if you could justify please, why the use of keys is condideres as not best practice – ChristophS Jul 24 '17 at 06:46
  • As an argument why to use keys: https://superuser.com/questions/303358/why-is-ssh-key-authentication-better-than-password-authentication – ChristophS Jul 24 '17 at 07:31
  • read my comment again. the use of PermitRootLogin yes is a bad practice. While usage of keys is a best practice. OP needs to set PermitRootLogin no to disabllow any user from connecting with root, his scenario is only possible with match rule. Why is allowing remote login bad? See here: https://unix.stackexchange.com/questions/82626/why-is-root-login-via-ssh-so-bad-that-everyone-advises-to-disable-it, here: https://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/, But also CISSP guide clearly states that you can enable but so as multi-factor authentication. – BitsOfNix Jul 24 '17 at 20:21
  • I agree, the use of `PermitRootLogin yes` **is** bad practice. So maybe this is a misunderstanding? My answer advises to disable root login in the end. It is only required once to install the public key. After all `PermitRootLogin` is set to `no` at all and only the two - by OP - required peers can login by using their private key. So my answer is exactly what you say. Would you read my answer once again please and we solve this gordian knot. ;) – ChristophS Jul 25 '17 at 05:56
  • And I don't agree that the OPs scenario is only possible with match rule. On Linux my solution works perfectly. *Maybe* Solaris behaves different, but once the public key is installed you can disable PermitRootLogin. Works like a charme and I use as admin inside company on a couple of linux servers ... – ChristophS Jul 25 '17 at 06:03
  • @BitsOfNix: would you please read my answer again, because it is exactly compatible to your second comment! Thus complaining my answer is an bad advice seems to be wrong and downvoting is unsuitable. – ChristophS Jul 26 '17 at 07:07