Secure Shell
Restricting SSH access per user to specific sources Mar 26 2010 06:19AM
Michael (milegrin gmail com) (4 replies)
Re: Restricting SSH access per user to specific sources Mar 28 2010 03:42AM
Darren Tucker (dtucker zip com au)
Re: Restricting SSH access per user to specific sources Mar 27 2010 10:24AM
Lars Nooden (lars curator gmail com)
Re: Restricting SSH access per user to specific sources Mar 26 2010 07:48PM
James B. Byrne (byrnejb harte-lyne ca)
RE: Restricting SSH access per user to specific sources Mar 26 2010 04:18PM
Imran Javeed (Imran Javeed vocalink com) (1 replies)
Re: Restricting SSH access per user to specific sources Mar 29 2010 07:05PM
Wayne Sweatt (sweatt lanl gov) (1 replies)
I may be way off base, but have you checked your secure logs for PAM
messages, such as pam_access ?
I routinely use pam_access to control user/root access from certain
clients. Just a thought...
access.conf is good for root vs non-root access control, above/beyond
just ssh.

On Mar 26, 2010, at 10:18 AM, Imran Javeed wrote:

> The App Servers allow root access from "Mngt Server" but deny root
> access from everywhere else.
> - The App Servers allow AppUserX access from App* Server and "Mngt
> Server" but deny access from everywhere else.
> - The administrators can connect to the servers from anywhere but not
> as the AppUserX or root
>
>
> I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
> files. I have also tried ~/.ssh/config to no avail. As I am pretty
> much fumbling in the dark I may have been close to a solution and not
> realised it but I simply can't seem to get user level access
> restrictions to work.
>
>
>
> #################################################################
>
>
> Michael
>
> What options did you use for AllowUsers in sshd_config?
>
> From my experience, these should work
>
> Imran
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]
> ] On Behalf Of Michael
> Sent: 26 March 2010 06:19
> To: secureshell (at) securityfocus (dot) com [email concealed]
> Subject: Restricting SSH access per user to specific sources
>
> Hi
>
> My first request so please excuse any etiquette faux pax.
>
> I have been searching for a solution for a few weeks now and managed
> to find one or two server wide examples & discussions but not any for
> user specific restrictions.
>
> Firstly, the setup :
> Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
> 5.0.0.5302 (latest version for AIX I am aware of). There are also a
> few linux boxes, mostly redhat and Ubuntu.
>
> We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled. I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.
> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts. All this needs to be
> done without impacting where the administrators can connect from so it
> needs to be user specific. As TCP Wrapper is not used on the AIX
> servers that is currently not an option and the configuration needs to
> go through the various OpenSSH configs.
>
> Example :
>
> Mngt Server
> App1 Server
> App2 Server
> App3 Server
>
> - The App Servers allow root access from "Mngt Server" but deny root
> access from everywhere else.
> - The App Servers allow AppUserX access from App* Server and "Mngt
> Server" but deny access from everywhere else.
> - The administrators can connect to the servers from anywhere but not
> as the AppUserX or root
>
>
> I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
> files. I have also tried ~/.ssh/config to no avail. As I am pretty
> much fumbling in the dark I may have been close to a solution and not
> realised it but I simply can't seem to get user level access
> restrictions to work.
>
> I would appreciate any help!
>
> R e g a r d s
> M i c h a e l L G r i f f i n
>
> Please consider the environment before printing this email
>
> He who play in root,
> eventually kill tree.
>
> *****************************************************
> This email is issued by a VocaLink group company. It is confidential
> and intended for the exclusive use of the addressee only. You should
> not disclose its contents to any other person. If you are not the
> addressee (or responsible for delivery of the message to the
> addressee), please notify the originator immediately by return
> message and destroy the original message. The contents of this email
> will have no contractual effect unless it is otherwise agreed
> between a specific VocaLink group company and the recipient.
>
> The VocaLink group companies include, among others: VocaLink Limited
> (Company No 06119048, VAT No. 907 9619 87) which is registered in
> England and Wales at registered office Drake House, Homestead Road,
> Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no
> 1023742, VAT No. 907 9619 87) which is registered in England and
> Wales at registered office Drake House, Three Rivers Court,
> Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United
> Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT
> No. 907 9619 87) which is registered in England and Wales at
> registered office Arundel House, 1 Liverpool Gardens, Worthing, West
> Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036,
> VAT No. 907 9619 87) which is registered in England and Wales at
> registered office Drake House, Homestead Road, Rickmansworth, WD3
> 1FX. United Kingdom.
>
> The views and opinions expressed in this email may not reflect those
> of any member of the VocaLink group. This message and any
> attachments have been scanned for viruses prior to leaving the
> VocaLink group network; however, VocaLink does not guarantee the
> security of this message and will not be responsible for any damages
> arising as a result of any virus being passed on or arising from any
> alteration of this message by a third party. The VocaLink group may
> monitor emails sent to and from the VocaLink group network.
>
> This message has been checked for all email viruses by MessageLabs.
> *************************************************************

[ reply ]
Openssh release Notes Archive... Mar 30 2010 09:15PM
Hasan Rezaul-CHR010 (CHR010 motorola com) (1 replies)
Re: Openssh release Notes Archive... Mar 31 2010 04:32PM
Lars Nooden (lars curator gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus