Hi,

for root user is quite easy. Just put
PermitRootLogin No

in sshd_config

This only allow you to login thru local console

Christian

2007/9/2, Radek Hladik :
> Hi,
> I am a little bit confused about patterns behavior when used in
> AllowedUsers directive. I am trying to limit root logins to localhost.
> First I tried
> AllowedUsers root@localhost !root
> which should enable root from localhost and all nonroot users from
> anywhere. However the username part is matched with match_pattern
> function and this function does not take ! into account (see func
> match_user in match.c).
> Secondly I tried
> DenyUsers root@!localhost
> which should deny root when logging from anywhere but localhost.
> Function match_host_and_ip does call match_hostname which calls
> match_pattern_list. But if match_hostname function returns -1 which
> means "match found and negation was requested", match_host_and_ip return
> false as there would be no match. As fact at least one _positive_ match
> is required to return true:
>
> /* negative ipaddr match */
> if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
> return 0;
> /* negative hostname match */
> if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
> return 0;
> /* no match at all */
> if (mhost == 0 && mip == 0)
> return 0;
> return 1;
>
> Is there any reason for such a behavior? And is there any other way how
> to limit root to localhost in sshd? I know I can limit it i.e. via
> pam_access but I would expect sshd to be able to do it.
>
>
> Radek Hladik
>
>
> P.S. Version of OpenSSH is openssh-4.5p1
>