Bug 995

Summary: PermitRootLogin by IP address block specification
Product: Portable OpenSSH Reporter: Daniel Senie <dts>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WORKSFORME    
Severity: enhancement    
Priority: P3    
Version: 3.6.1p2   
Hardware: All   
OS: All   

Description Daniel Senie 2005-03-08 06:56:46 AEDT 
In looking at the options for PermitRootLogin, we find that none properly
address our needs. We use root login with password between servers in a data
center. All of these machines are firewalled. We prefer to leave root login
permitted for various infrequent operations (file copies, etc.) but do not want
to leave keys on the machine to allow such commands at will (concerns that if
one machine is compromised, we would have all machines compromised).

So, we'd like to suggest a mechanism that would permit us to specify one or more
CIDR blocks as places from which root login is permitted. That way, we can
connect into the data center, and then connect among machines as desired, with
fewer issues.

Please consider this an enhancement request. Were it not for the present
pounding our machines take from people trying to break in by guessing passwords,
we probably would not even be asking. As a precaution due to the attacks, we
have disabled root login entirely, but this is interfering with some of our
normal workflow.

I'd be happy to answer any questions.
Comment 1 Darren Tucker 2005-03-08 12:35:32 AEDT 
Would something like this in sshd_config do what you want (assuming your cluster
addresses are 192.168.0.0/24, untested):

DenyUsers root@!192.168.0.*
Comment 2 Daniel Senie 2005-03-08 12:52:47 AEDT 
Ha, thank you. The man page for the AllowUsers and DenyUsers does actually
mention this, but it was not at all apparent without an example that a
wildcarded IP address would do the trick. Guess this should become a suggestion
for the documentation writers to add an example or two.

It'd still be nice to permit based on CIDR, but what's there is sufficient for
my immediate needs. Again, thanks for pointing this out.
Comment 3 Darren Tucker 2005-03-08 13:18:45 AEDT 
Supporting CIDR notation is an open enhancement request (see bug #976).

Note that it may be possible to fool this by faking the reverse DNS resolution
to look like an IP address (recent versions specifically check for this).
Comment 4 Darren Tucker 2006-10-07 11:39:05 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.