login about faq

Hi, I'm new to tectia SSH, i would like to know how to configure the ssh-server-config.xml to deny direct root login from a pc with ssh client installed? The server is installed with with ssh tectia server version 6.07. Previously we have openssh and we edit the sshd-config with "PermitRootLogin no" and root was not able to be use as a login id. You can still su to root after you have sucessfully login. In tectia SSH i believe there's a similar setting but i 'm not able to set the correct setting to deny root login.

the following is the entry in the ssh-server-config.xml

<authentication-methods login-grace-time="60">
  <authentication name="Default-Authentication" action="allow">
    <auth-publickey />
    <auth-password failure-delay="2" max-tries="3" />
    <auth-gssapi allow-ticket-forwarding="no" />
    <auth-keyboard-interactive failure-delay="2" max-tries="3">
      <submethod-password />
    </auth-keyboard-interactive>
 </authentication>
 <authentication name="denyadmin" action="deny">
   <selector>
     <user-privileged value="yes" allow-undefined="no" />
   </selector>
 </authentication>
</authentication-methods>

Can someone enlighten me with a sample config file with root denied to login?

regrads

asked Oct 27 '10 at 09:52

sgpolarbear's gravatar image

sgpolarbear
8444

edited Oct 29 '10 at 19:26

Roman's gravatar image

Roman ♦♦
7735817


Switch the authentication rules

The way that selector rules work is that the first one to match will be used. Therefore in your example since the Default-Authentication rule comes first and has no selectors it will match to all users and the second rule will not be processed. If you switch the rules around (so that the denyadmin rule is first) it should work.

This way the first authentication rule will only match privileged users (i.e. root) and deny login, for the rest of the users the first rule will not match and they'll proceed to the second rule which matches for all.

So it would look like this:

<authentication-methods login-grace-time="60">

 <authentication name="denyadmin" action="deny">
   <selector>
     <user-privileged value="yes" allow-undefined="no" />
   </selector>
 </authentication>

  <authentication name="Default-Authentication" action="allow">
    <auth-publickey />
    <auth-password failure-delay="2" max-tries="3" />
    <auth-gssapi allow-ticket-forwarding="no" />
    <auth-keyboard-interactive failure-delay="2" max-tries="3">
      <submethod-password />
    </auth-keyboard-interactive>
 </authentication>

</authentication-methods>
link

answered Nov 01 '10 at 07:08

Roman's gravatar image

Roman ♦♦
7735817

Hi Roman, Thanks! now it working.

(Nov 14 '10 at 14:18) sgpolarbear sgpolarbear's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×13
×5
×3

Asked: Oct 27 '10 at 09:52

Seen: 3,964 times

Last updated: Nov 01 '10 at 07:08

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.