all I wanted was to force SSHd to accept root logins only from localhost.
More detailed description:
We have SSH keys stored on smart cards and we use them to login as root
to our servers. Now we use PermitRoot without-password, which enables us
to control which smartcard can log on as root via
/root/.ssh/authorized_keys. (I am planning to move this to LDAP but it
is another story). I was just trying to secure it a little bit more as
user would need to login as nonroot user and then do ssh root@localhost.
I thought that it will be like 5 minutes to setup but I've run into
described SSHD strange behavior regarding AllowedUsers.
I do not want sudo or su as they can not use SSH key infrastructure and
agent forwarding. But for clarification I can say that I am looking for
su which could authenticate me with my SSH key instead of password.
I know that root logging with key on smartcard via network is secure
enough (and sufficient enough for us). I also know that I could use
pam_wheel, but what I am asking is why does SSHd behave so strangely.
Maybe there is some reason and I just do not see it...


Johan Karlström napsal(a):
> Hi Radek,
> You should use sudo command/functionality.
> If that doesn't solve what you asking about then please explain more
> about what you try to achieve.
> Regards
>> Hi,
>> I need to login locally via ssh not by console. I want to
>> incorporate SSH keys and agent forwaring to verify who can logon as root.
>> Radek
>> Christian Grunfeld napsal(a):
>>> Hi,
>>> for root user is quite easy. Just put
>>> PermitRootLogin No
>>> in sshd_config
>>> This only allow you to login thru local console
>>> Christian
>>> 2007/9/2, Radek Hladik :
>>>> Hi,
>>>> I am a little bit confused about patterns behavior when used in
>>>> AllowedUsers directive. I am trying to limit root logins to localhost.
>>>> First I tried
>>>> AllowedUsers root@localhost !root
>>>> which should enable root from localhost and all nonroot users from
>>>> anywhere. However the username part is matched with match_pattern
>>>> function and this function does not take ! into account (see func
>>>> match_user in match.c).
>>>> Secondly I tried
>>>> DenyUsers root@!localhost
>>>> which should deny root when logging from anywhere but localhost.
>>>> Function match_host_and_ip does call match_hostname which calls
>>>> match_pattern_list. But if match_hostname function returns -1 which
>>>> means "match found and negation was requested", match_host_and_ip
>>>> return
>>>> false as there would be no match. As fact at least one _positive_ match
>>>> is required to return true:
>>>> /* negative ipaddr match */
>>>> if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
>>>> return 0;
>>>> /* negative hostname match */
>>>> if ((mhost = match_hostname(host, patterns, strlen(patterns))) ==
>>>> -1)
>>>> return 0;
>>>> /* no match at all */
>>>> if (mhost == 0 && mip == 0)
>>>> return 0;
>>>> return 1;
>>>> Is there any reason for such a behavior? And is there any other way how
>>>> to limit root to localhost in sshd? I know I can limit it i.e. via
>>>> pam_access but I would expect sshd to be able to do it.
>>>> Radek Hladik
>>>> P.S. Version of OpenSSH is openssh-4.5p1


> Mvh
> Johan Karlström - VD NetRoad AB
> 0705-423 470