In response to Security Tip: Disable Root SSH Logins on Linux

There was an option that wasn't covered for allowing direct root logins via ssh for linux. And that's with sshd and pam.d. It's really a simple solution if you need to allow direct root logins from a server, subnet, domain, IPv4/v6 etc.

Without getting into the specifics of PAM what you want to do is add the following line to /etc/security/access.conf
- : root : ALL EXCEPT <space delimited server list here>

and add this line: account require to your /etc/pam.d/sshd file.
NOTE: You may not have to add this line to /etc/pam.d/sshd if sshd requires system-auth and is referenced there.

Now you've effectivly limited where the root user can login from. Of course, disabling direct root altogether is a better and more secure option, if you have a bunch of legacy scripts (like I do) that gather information from servers, or do things like account modification for 100's of Linux servers, and rewriting all of those legacy scripts to login and use a PRIV facility like su or sudo would cost countless amounts of man hours. Just the thought of pouring over 10's of thousands of lines of non portable code that came from HP-UX or AS400 makes me want to be thrown into a bathtub with a family of rabbid racoons.

Just my two cents,

Posted 4 years ago