Secure Shell
Restricting SSH access per user to specific sources Mar 26 2010 06:19AM
Michael (milegrin gmail com) (4 replies)
Re: Restricting SSH access per user to specific sources Mar 28 2010 03:42AM
Darren Tucker (dtucker zip com au)
Re: Restricting SSH access per user to specific sources Mar 27 2010 10:24AM
Lars Nooden (lars curator gmail com)
Re: Restricting SSH access per user to specific sources Mar 26 2010 07:48PM
James B. Byrne (byrnejb harte-lyne ca)
RE: Restricting SSH access per user to specific sources Mar 26 2010 04:18PM
Imran Javeed (Imran Javeed vocalink com) (1 replies)
The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root

I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.

#################################################################

Michael

What options did you use for AllowUsers in sshd_config?

From my experience, these should work

Imran

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Michael
Sent: 26 March 2010 06:19
To: secureshell (at) securityfocus (dot) com [email concealed]
Subject: Restricting SSH access per user to specific sources

Hi

My first request so please excuse any etiquette faux pax.

I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.

Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
5.0.0.5302 (latest version for AIX I am aware of). There are also a
few linux boxes, mostly redhat and Ubuntu.

We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled. I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.

For security reasons I need to only allow root ssh from the
management server only.
For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts. All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific. As TCP Wrapper is not used on the AIX
servers that is currently not an option and the configuration needs to
go through the various OpenSSH configs.

Example :

Mngt Server
App1 Server
App2 Server
App3 Server

- The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root

I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.

I would appreciate any help!

R e g a r d s
M i c h a e l L G r i f f i n

Please consider the environment before printing this email

He who play in root,
eventually kill tree.

*****************************************************
This email is issued by a VocaLink group company. It is confidential and intended for the exclusive use of the addressee only. You should not disclose its contents to any other person. If you are not the addressee (or responsible for delivery of the message to the addressee), please notify the originator immediately by return message and destroy the original message. The contents of this email will have no contractual effect unless it is otherwise agreed between a specific VocaLink group company and the recipient.

The VocaLink group companies include, among others: VocaLink Limited (Company No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87) which is registered in England and Wales at registered office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom.

The views and opinions expressed in this email may not reflect those of any member of the VocaLink group. This message and any attachments have been scanned for viruses prior to leaving the VocaLink group network; however, VocaLink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. The VocaLink group may monitor emails sent to and from the VocaLink group network.

This message has been checked for all email viruses by MessageLabs.
*************************************************************

[ reply ]
Re: Restricting SSH access per user to specific sources Mar 29 2010 07:05PM
Wayne Sweatt (sweatt lanl gov) (1 replies)
Openssh release Notes Archive... Mar 30 2010 09:15PM
Hasan Rezaul-CHR010 (CHR010 motorola com) (1 replies)
Re: Openssh release Notes Archive... Mar 31 2010 04:32PM
Lars Nooden (lars curator gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus