--- On Wed, 9/10/08, Wayne Sweatt <sweatt@xxxxxxxx> wrote:
> I would like to get the word on how to best set up my sshd
> server to allow
> root on a single client hostbased authorization to several
> servers - as
> securely as possible.
> I have a requirement to have unattended root access to
> these systems.
> I need to have hostbased work for root only. No non-root
> users should be
> able to use hostbased, but kerberos instead.
Can you force key authentication on the server? That always helps.
Either way, you could use authorized_keys in the root account of the ssh server to include keys from the clients needing access. If that's not tight enough, you could prepend a 'permitonly' line in the root servers' authorized_keys file entry for each key. ie:
from="10.5.4.3" ssh-dss qKAF7fFNeOJcdA+vWa..etc..key...
from="10.5.4.88" ssh-dss hFTn2NlbU4bgP...etc...key...
