Re: Restricting SSH access per user to specific sources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 26 Mar 2010, Michael wrote:
... We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled.

When sudo is enabled and with a properly configured sudoers file, that risk is not necessary to take and root login can be turned off. Run the programs manually with -vvv appended to the ssh client's arguments to see exactly what is being sent to the server and then the correct regex can be added to sudoers. Then a dedicated account can be used to limit access appropriately.

I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.

 For security reasons I need to only allow root ssh from the
management server only.

That hole can be closed. See above. Later, DNSSEC should be used if it is not already so that there is a greater chance that the machine calling itself the management server really is the management server.

 For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts.  All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific...

If you can, upgrade to 5.3p or wait a few days and upgrade to 5.5p

One way could be via the keys used to log in. Starting with 5.1 sshd allows CIDR matching in ~/.ssh/authorized_key [1] with a fallback to regular pattern matching.

Even simpler would be to use the Match directive in sshd_config to apply restrictions to different groups of users. CIDR address masks can be added or individual addresses:

	MaxAuthTries 0

	Match Group maintainers
		MaxAuthTries 6

	Match Group frmmgtsvr, Address 192.168.0.100
		MaxAuthTries 6

	Match Group appusers, Address 192.168.0.0/24
		MaxAuthTries 6
		PasswordAuthentication No

The first match to succeed is used.

Regards,
/Lars Nooden

[1]	http://www.openssh.org/txt/release-5.1

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux