Restricting root to specific network while leaving other accounts unaffected

[William Muriithi]

Hi,

Got a kind of question that seem to have raised a lot, but which seem to
have no answer yet according to my Google search.  All solutions so far has
been use key pairs or sudo. Both solutions I was aware of but kind of don't
help.

Let me explain a bit about why I need the weird sshd setup.  Have bunch of
production servers.  Each production server has a UAT. And lots of qa and
dev systems too. All are running jboss.

For qa and dev systems,  we use Jenkins for deployment. For UAT and
production, we do it manually. I usually run rsync with dry run flag to see
what has changed on QA box and then selectively move the files I need to
UAT.  The process repeat on prod from UAT.

Now, to make sure I don't miss files remotely, I need to SSH as root. Using
any other account risk leaving out some files and having people complain at
you when update fails.  So I enabled remote root access and that's how we
have been working.

My ideal solution is to disable root access to production, disable root
access to UAT other than from production and disable root access to QA
other than from UAT boxes.

SSH keys don't work well here. I would have to put the keys all over and
that's even more insecure. Sudo only work locally so I don't see how it can
be useful.

That left looking at ways to selectifully allowing root access, but from a
bit of Googling, it seems either I have missed it or sshd can't be setup
this way.

How has people here handled such a situation?

Regards,

William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20130714/27254820/attachment.html>