Secure Shell
Restricting SSH access per user to specific sources Mar 26 2010 06:19AM
Michael (milegrin gmail com) (4 replies)
Re: Restricting SSH access per user to specific sources Mar 28 2010 03:42AM
Darren Tucker (dtucker zip com au)
Michael wrote:
[...]
> I have been searching for a solution for a few weeks now and managed
> to find one or two server wide examples & discussions but not any for
> user specific restrictions.
>
> Firstly, the setup :
> Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
> 5.0.0.5302 (latest version for AIX I am aware of). There are also a
> few linux boxes, mostly redhat and Ubuntu.
>
> We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled. I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.

You can do this with the "Match" keyword. It's first-match, and it can
take multiple criteria on a single line, which is a logical "and", and
if you use it to set the allowed authentication methods you can achieve
the effect you want.

For example, you could add this to the end of sshd_config, to allow root
access from a single address with public-key authentication only:

# default settings above
Match User root Address 10.1.1.1
PubkeyAuthentication yes
Match User root
PubkeyAuthentication no
PasswordAuthentication no
# other auth methods here

> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts.
[...]

You can apply the same method as above for non-root users. If you have
the same set of rules you want to apply to a set of application users,
you might want to use "Match Group" rather than "Match User", then stick
the users into the appropriate group.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[ reply ]
Re: Restricting SSH access per user to specific sources Mar 27 2010 10:24AM
Lars Nooden (lars curator gmail com)
Re: Restricting SSH access per user to specific sources Mar 26 2010 07:48PM
James B. Byrne (byrnejb harte-lyne ca)
RE: Restricting SSH access per user to specific sources Mar 26 2010 04:18PM
Imran Javeed (Imran Javeed vocalink com) (1 replies)
Re: Restricting SSH access per user to specific sources Mar 29 2010 07:05PM
Wayne Sweatt (sweatt lanl gov) (1 replies)
Openssh release Notes Archive... Mar 30 2010 09:15PM
Hasan Rezaul-CHR010 (CHR010 motorola com) (1 replies)
Re: Openssh release Notes Archive... Mar 31 2010 04:32PM
Lars Nooden (lars curator gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus