Hi,
I need to login locally via ssh not by console. I want to incorporate
SSH keys and agent forwaring to verify who can logon as root.

Radek

Christian Grunfeld napsal(a):
> Hi,
>
> for root user is quite easy. Just put
> PermitRootLogin No
>
> in sshd_config
>
> This only allow you to login thru local console
>
> Christian
>
> 2007/9/2, Radek Hladik :
>> Hi,
>> I am a little bit confused about patterns behavior when used in
>> AllowedUsers directive. I am trying to limit root logins to localhost.
>> First I tried
>> AllowedUsers root@localhost !root
>> which should enable root from localhost and all nonroot users from
>> anywhere. However the username part is matched with match_pattern
>> function and this function does not take ! into account (see func
>> match_user in match.c).
>> Secondly I tried
>> DenyUsers root@!localhost
>> which should deny root when logging from anywhere but localhost.
>> Function match_host_and_ip does call match_hostname which calls
>> match_pattern_list. But if match_hostname function returns -1 which
>> means "match found and negation was requested", match_host_and_ip return
>> false as there would be no match. As fact at least one _positive_ match
>> is required to return true:
>>
>> /* negative ipaddr match */
>> if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
>> return 0;
>> /* negative hostname match */
>> if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
>> return 0;
>> /* no match at all */
>> if (mhost == 0 && mip == 0)
>> return 0;
>> return 1;
>>
>> Is there any reason for such a behavior? And is there any other way how
>> to limit root to localhost in sshd? I know I can limit it i.e. via
>> pam_access but I would expect sshd to be able to do it.
>>
>>
>> Radek Hladik
>>
>>
>> P.S. Version of OpenSSH is openssh-4.5p1
>>