Secure Shell
Restricting SSH access per user to specific sources Mar 26 2010 06:19AM
Michael (milegrin gmail com)

My first request so please excuse any etiquette faux pax.

I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.

Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version (latest version for AIX I am aware of). There are also a
few linux boxes, mostly redhat and Ubuntu.

We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled. I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.

For security reasons I need to only allow root ssh from the
management server only.
For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts. All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific. As TCP Wrapper is not used on the AIX
servers that is currently not an option and the configuration needs to
go through the various OpenSSH configs.

Example :

Mngt Server
App1 Server
App2 Server
App3 Server

- The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root

I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.

I would appreciate any help!

R e g a r d s
M i c h a e l L G r i f f i n

Please consider the environment before printing this email

He who play in root,
eventually kill tree.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus