In order to secure the ssh-access for root and permit it for others with UCS please have a look at the following.
Basically with the UCRV:
ucr set sshd/permitroot=
you can set the following restrictions for root :
- yes value allows login without restrictions,
- without-password only allows authentication with public keys without passwords
- no’ denies root login altogether.
This is one way to keep the default attacks with root on port 22 in check.
The variables in:
ucr search auth/sshd/*
takes care of users and groups.
Please see also our documentation.
With the following example you can set sshd restrictions for users and for groups :
In the case below ssh allowed only for to user testssh
ucr set auth/sshd/user/testssh=yes
Valid for Ldap-User and local Users.
Here we restricted only Members of the groups Administrators, Computers, Backup Nodes, Replica Nodes and Domain Admins to use ssh.
auth/sshd/group/DC Backup Nodes: yes
auth/sshd/group/DC Replica Nodes: yes
auth/sshd/group/Domain Admins: yes
ucr set auth/sshd/group/yourgroup=yes/no
Disallowing root and allowing only one LDAP user to access works untill the ldap-service goes down. Consider creating a local user with adduser and using the UCRV:
ucr set sshd/permitroot=without-password
Now you should be safe to reach your system even when the most services but sshd are down.
It is good practice to test the users ssh access before root or Administrators are locked out. But no worries with a broken ssh there is the
UMC --> Settings --> Univention Configuration Registry where you can change some sshd-settings accordingly.
And with a broken ssh and no ldap there is still rescue-boot
Login restrictions are supported for:
chfn, chsh, cron, ftp, gdm, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo
You can’t use the traditional AllowUser you might know from a standard sshd_config for the the user settings in ssh, discussed above. Instead look into