Secure Shell
Restricting SSH access per user to specific sources Mar 26 2010 06:19AM
Michael (milegrin gmail com) (4 replies)
Re: Restricting SSH access per user to specific sources Mar 28 2010 03:42AM
Darren Tucker (dtucker zip com au)
Re: Restricting SSH access per user to specific sources Mar 27 2010 10:24AM
Lars Nooden (lars curator gmail com)
Re: Restricting SSH access per user to specific sources Mar 26 2010 07:48PM
James B. Byrne (byrnejb harte-lyne ca)

On Fri, March 26, 2010 02:19, Michael wrote:
> We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled. I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
> For security reasons I need to only allow root ssh from the
> management server only.
> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts. All this needs to be
> done without impacting where the administrators can connect from so
> it needs to be user specific. As TCP Wrapper is not used on the AIX
> servers that is currently not an option and the configuration needs
> to go through the various OpenSSH configs.
> Example :
> Mngt Server
> App1 Server
> App2 Server
> App3 Server
> - The App Servers allow root access from "Mngt Server" but deny root
> access from everywhere else.
> - The App Servers allow AppUserX access from App* Server and "Mngt
> Server" but deny access from everywhere else.
> - The administrators can connect to the servers from anywhere but
> not as the AppUserX or root
> I have tried the global /etc/ssh/ssh_config and
> /etc/ssh/sshd_config
> files. I have also tried ~/.ssh/config to no avail. As I am pretty
> much fumbling in the dark I may have been close to a solution and
> not realised it but I simply can't seem to get user level access
> restrictions to work.

I am not convinced that I fully understand what you are looking for
but on the off chance that I do then here are my suggestions:

1. Generate root's user keys (ssh-keygen) on each host; iff they do
not already exist, and they should exist so check for them

2. Add root's public user key from the Mngt server host to
/root/.ssh/authorized_keys2 on each of the controlled hosts.

3. Allow RSA/DSA (SSH 2) authentication.

4. Disallow root logins using passwords on all the servers (or all
but a single logon server if promiscuous access is required).

5. As root, connect from the Mngt server to each target host and add
the target host to root's known_hosts file.

That will restrict root access on the App hosts to connections
originating from ssh key authorized hosts and does away with the
possibility of compromised passwords in a single stroke.

A similar arrangement can be made for specific userids by generating
user keys on each host requiring access and appropriately
configuring ~/.ssh/authorized_keys2 for that userid on the target

I use this system for running rsync over ssh between servers where
root access is required. However, since root is just a userid the
same technique should work for any other user. You just have to
generate and distribute each user's keys to the target hosts each
time a host changes.

Administrative users can either adopt the same technique for their
personal workstations or retain password access to their shell
accounts on the target machines.

Alternatively, you could have a single logon host that permits
password authenticated logons for all known users (except root of
course), but requires su to obtain root access on that machine and
thereafter uses the RSA/DSA key system to allow restricted ssh
access to the Mngt server as root. From that server the rest of the
farm is reached using the same technique. This has the added
benefit of identifying exactly which userid was acting as root at
any given time.

1. password ssh non-privileged user to public logon host
2. su to desired administrative or superuser ID on logon host
3. as assumed userid ssh via RSA/DSA authentication to desired hosts.

*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB (at) Harte-Lyne (dot) ca [email concealed]
Harte & Lyne Limited
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

[ reply ]
RE: Restricting SSH access per user to specific sources Mar 26 2010 04:18PM
Imran Javeed (Imran Javeed vocalink com) (1 replies)
Re: Restricting SSH access per user to specific sources Mar 29 2010 07:05PM
Wayne Sweatt (sweatt lanl gov) (1 replies)
Openssh release Notes Archive... Mar 30 2010 09:15PM
Hasan Rezaul-CHR010 (CHR010 motorola com) (1 replies)
Re: Openssh release Notes Archive... Mar 31 2010 04:32PM
Lars Nooden (lars curator gmail com)


Privacy Statement
Copyright 2010, SecurityFocus