I may be way off base, but have you checked your secure logs for PAM
messages, such as pam_access ?
I routinely use pam_access to control user/root access from certain
clients. Just a thought...
access.conf is good for root vs non-root access control, above/beyond
just ssh.
On Mar 26, 2010, at 10:18 AM, Imran Javeed wrote:
The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root
I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.
#################################################################
Michael
What options did you use for AllowUsers in sshd_config?
From my experience, these should work
Imran
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx
] On Behalf Of Michael
Sent: 26 March 2010 06:19
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Restricting SSH access per user to specific sources
Hi
My first request so please excuse any etiquette faux pax.
I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.
Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
5.0.0.5302 (latest version for AIX I am aware of). There are also a
few linux boxes, mostly redhat and Ubuntu.
We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled. I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.
For security reasons I need to only allow root ssh from the
management server only.
For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts. All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific. As TCP Wrapper is not used on the AIX
servers that is currently not an option and the configuration needs to
go through the various OpenSSH configs.
Example :
Mngt Server
App1 Server
App2 Server
App3 Server
- The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root
I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.
I would appreciate any help!
R e g a r d s
M i c h a e l L G r i f f i n
Please consider the environment before printing this email
He who play in root,
eventually kill tree.
*****************************************************
This email is issued by a VocaLink group company. It is confidential
and intended for the exclusive use of the addressee only. You should
not disclose its contents to any other person. If you are not the
addressee (or responsible for delivery of the message to the
addressee), please notify the originator immediately by return
message and destroy the original message. The contents of this email
will have no contractual effect unless it is otherwise agreed
between a specific VocaLink group company and the recipient.
The VocaLink group companies include, among others: VocaLink Limited
(Company No 06119048, VAT No. 907 9619 87) which is registered in
England and Wales at registered office Drake House, Homestead Road,
Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no
1023742, VAT No. 907 9619 87) which is registered in England and
Wales at registered office Drake House, Three Rivers Court,
Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United
Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT
No. 907 9619 87) which is registered in England and Wales at
registered office Arundel House, 1 Liverpool Gardens, Worthing, West
Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036,
VAT No. 907 9619 87) which is registered in England and Wales at
registered office Drake House, Homestead Road, Rickmansworth, WD3
1FX. United Kingdom.
The views and opinions expressed in this email may not reflect those
of any member of the VocaLink group. This message and any
attachments have been scanned for viruses prior to leaving the
VocaLink group network; however, VocaLink does not guarantee the
security of this message and will not be responsible for any damages
arising as a result of any virus being passed on or arising from any
alteration of this message by a third party. The VocaLink group may
monitor emails sent to and from the VocaLink group network.
This message has been checked for all email viruses by MessageLabs.
*************************************************************