On Fri, March 26, 2010 02:19, Michael wrote: > > > We have a central management server running AIX 6100-03-01 which > runs distributed shell commands (dsh - essentially SSH's to all > servers and runs the specific command) but for this to work root ssh > needs to be enabled. I also have a number of application users that > need to be able to SSH/SCP/SFTP between servers. > > For security reasons I need to only allow root ssh from the > management server only. > > For audit purposes I need to ensure that application UserID's will > only accept connections from specific hosts. All this needs to be > done without impacting where the administrators can connect from so > it needs to be user specific. As TCP Wrapper is not used on the AIX > servers that is currently not an option and the configuration needs > to go through the various OpenSSH configs. > > Example : > > Mngt Server > App1 Server > App2 Server > App3 Server > > - The App Servers allow root access from "Mngt Server" but deny root > access from everywhere else. > - The App Servers allow AppUserX access from App* Server and "Mngt > Server" but deny access from everywhere else. > - The administrators can connect to the servers from anywhere but > not as the AppUserX or root > > > I have tried the global /etc/ssh/ssh_config and > /etc/ssh/sshd_config > files. I have also tried ~/.ssh/config to no avail. As I am pretty > much fumbling in the dark I may have been close to a solution and > not realised it but I simply can't seem to get user level access > restrictions to work. > I am not convinced that I fully understand what you are looking for but on the off chance that I do then here are my suggestions: 1. Generate root's user keys (ssh-keygen) on each host; iff they do not already exist, and they should exist so check for them thoroughly. 2. Add root's public user key from the Mngt server host to /root/.ssh/authorized_keys2 on each of the controlled hosts. 3. Allow RSA/DSA (SSH 2) authentication. 4. Disallow root logins using passwords on all the servers (or all but a single logon server if promiscuous access is required). 5. As root, connect from the Mngt server to each target host and add the target host to root's known_hosts file. That will restrict root access on the App hosts to connections originating from ssh key authorized hosts and does away with the possibility of compromised passwords in a single stroke. A similar arrangement can be made for specific userids by generating user keys on each host requiring access and appropriately configuring ~/.ssh/authorized_keys2 for that userid on the target machines. I use this system for running rsync over ssh between servers where root access is required. However, since root is just a userid the same technique should work for any other user. You just have to generate and distribute each user's keys to the target hosts each time a host changes. Administrative users can either adopt the same technique for their personal workstations or retain password access to their shell accounts on the target machines. Alternatively, you could have a single logon host that permits password authenticated logons for all known users (except root of course), but requires su to obtain root access on that machine and thereafter uses the RSA/DSA key system to allow restricted ssh access to the Mngt server as root. From that server the rest of the farm is reached using the same technique. This has the added benefit of identifying exactly which userid was acting as root at any given time. 1. password ssh non-privileged user to public logon host 2. su to desired administrative or superuser ID on logon host 3. as assumed userid ssh via RSA/DSA authentication to desired hosts. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3