Michael wrote:
[...]
I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.
Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
5.0.0.5302 (latest version for AIX I am aware of). There are also a
few linux boxes, mostly redhat and Ubuntu.
We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled. I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.
For security reasons I need to only allow root ssh from the
management server only.
You can do this with the "Match" keyword. It's first-match, and it can
take multiple criteria on a single line, which is a logical "and", and
if you use it to set the allowed authentication methods you can achieve
the effect you want.
For example, you could add this to the end of sshd_config, to allow root
access from a single address with public-key authentication only:
# default settings above
Match User root Address 10.1.1.1
PubkeyAuthentication yes
Match User root
PubkeyAuthentication no
PasswordAuthentication no
# other auth methods here
For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts.
[...]
You can apply the same method as above for non-root users. If you have
the same set of rules you want to apply to a set of application users,
you might want to use "Match Group" rather than "Match User", then stick
the users into the appropriate group.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.