On Fri, 26 Mar 2010, Michael wrote:
> ... We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled.

When sudo is enabled and with a properly configured sudoers file, that
risk is not necessary to take and root login can be turned off. Run the
programs manually with -vvv appended to the ssh client's arguments to see
exactly what is being sent to the server and then the correct regex can be
added to sudoers. Then a dedicated account can be used to limit access
appropriately.

> I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.

That hole can be closed. See above. Later, DNSSEC should be used if it
is not already so that there is a greater chance that the machine calling
itself the management server really is the management server.

> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts. All this needs to be
> done without impacting where the administrators can connect from so it
> needs to be user specific...

If you can, upgrade to 5.3p or wait a few days and upgrade to 5.5p

One way could be via the keys used to log in. Starting with 5.1 sshd
allows CIDR matching in ~/.ssh/authorized_key [1] with a fallback to
regular pattern matching.

Even simpler would be to use the Match directive in sshd_config to apply
restrictions to different groups of users. CIDR address masks can be
added or individual addresses:

MaxAuthTries 0

Match Group maintainers
MaxAuthTries 6

Match Group frmmgtsvr, Address 192.168.0.100
MaxAuthTries 6

Match Group appusers, Address 192.168.0.0/24
MaxAuthTries 6
PasswordAuthentication No

The first match to succeed is used.

Regards,
/Lars Nooden

[1] http://www.openssh.org/txt/release-5.1

[ reply ]