On Fri, 26 Mar 2010, Michael wrote:
... We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled.
When sudo is enabled and with a properly configured sudoers file, that
risk is not necessary to take and root login can be turned off. Run the
programs manually with -vvv appended to the ssh client's arguments to see
exactly what is being sent to the server and then the correct regex can be
added to sudoers. Then a dedicated account can be used to limit access
appropriately.
I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.
For security reasons I need to only allow root ssh from the
management server only.
That hole can be closed. See above. Later, DNSSEC should be used if it
is not already so that there is a greater chance that the machine calling
itself the management server really is the management server.
For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts. All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific...
If you can, upgrade to 5.3p or wait a few days and upgrade to 5.5p
One way could be via the keys used to log in. Starting with 5.1 sshd
allows CIDR matching in ~/.ssh/authorized_key [1] with a fallback to
regular pattern matching.
Even simpler would be to use the Match directive in sshd_config to apply
restrictions to different groups of users. CIDR address masks can be
added or individual addresses:
MaxAuthTries 0
Match Group maintainers
MaxAuthTries 6
Match Group frmmgtsvr, Address 192.168.0.100
MaxAuthTries 6
Match Group appusers, Address 192.168.0.0/24
MaxAuthTries 6
PasswordAuthentication No
The first match to succeed is used.
Regards,
/Lars Nooden
[1] http://www.openssh.org/txt/release-5.1