Add
"auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers onerr=succeed"
to /etc/pam.d/sshd
touch /etc/sshusers
chmod 500 /etc/sshusers
Add "username" to /etc/sshusers where username is the authorized user you would want to be able to login.
Hope this helps.
Quintin Womack
-----Original Message-----
From: "Watson, Michael"
Sent: Nov 25, 2003 9:21 AM
To: "'suse-security@suse.com'"
Subject: [suse-security] Disabling remote root login
Greetings!
I am experimenting with SuSE 9.0 professional and have encountered something
I don't understand.
I have disabled telnet, allowing only ssh for remote logins. Problem is, I
can ssh from Windows using putty to the test computer and login remotely as
root, even though my /etc/securetty includes only entries for tty1 through
tty6. I don't want to allow remote root logins.
I did find a reference elsewhere to a similar problem, which was caused by
/etc/pam.d/login having its lines for pam_securetty.so and pam_nologin.so
commented out. I've checked my /etc/pam.d/login, and the relevant lines
read:
auth required pam_securetty.so
auth required pam_nologin.so
I was eventually able to disable remote root logins via ssh by setting
"PermitRootLogin" to "no" in /etc/ssh/sshd_config, but I'm still curious why
the settings in securetty don't seem to be working. Can anyone point out
what I'm missing?
Thanks,
Michael Watson
mwatso@lsuhsc.edu