Secure Shell
Restricting SSH access per user to specific sources Mar 26 2010 06:19AM
Michael (milegrin gmail com) (4 replies)
Re: Restricting SSH access per user to specific sources Mar 28 2010 03:42AM
Darren Tucker (dtucker zip com au)
Re: Restricting SSH access per user to specific sources Mar 27 2010 10:24AM
Lars Nooden (lars curator gmail com)
On Fri, 26 Mar 2010, Michael wrote:
> ... We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled.

When sudo is enabled and with a properly configured sudoers file, that
risk is not necessary to take and root login can be turned off. Run the
programs manually with -vvv appended to the ssh client's arguments to see
exactly what is being sent to the server and then the correct regex can be
added to sudoers. Then a dedicated account can be used to limit access
appropriately.

> I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.

That hole can be closed. See above. Later, DNSSEC should be used if it
is not already so that there is a greater chance that the machine calling
itself the management server really is the management server.

> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts. All this needs to be
> done without impacting where the administrators can connect from so it
> needs to be user specific...

If you can, upgrade to 5.3p or wait a few days and upgrade to 5.5p

One way could be via the keys used to log in. Starting with 5.1 sshd
allows CIDR matching in ~/.ssh/authorized_key [1] with a fallback to
regular pattern matching.

Even simpler would be to use the Match directive in sshd_config to apply
restrictions to different groups of users. CIDR address masks can be
added or individual addresses:

MaxAuthTries 0

Match Group maintainers
MaxAuthTries 6

Match Group frmmgtsvr, Address 192.168.0.100
MaxAuthTries 6

Match Group appusers, Address 192.168.0.0/24
MaxAuthTries 6
PasswordAuthentication No

The first match to succeed is used.

Regards,
/Lars Nooden

[1] http://www.openssh.org/txt/release-5.1

[ reply ]
Re: Restricting SSH access per user to specific sources Mar 26 2010 07:48PM
James B. Byrne (byrnejb harte-lyne ca)
RE: Restricting SSH access per user to specific sources Mar 26 2010 04:18PM
Imran Javeed (Imran Javeed vocalink com) (1 replies)
Re: Restricting SSH access per user to specific sources Mar 29 2010 07:05PM
Wayne Sweatt (sweatt lanl gov) (1 replies)
Openssh release Notes Archive... Mar 30 2010 09:15PM
Hasan Rezaul-CHR010 (CHR010 motorola com) (1 replies)
Re: Openssh release Notes Archive... Mar 31 2010 04:32PM
Lars Nooden (lars curator gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus