Re: Restricting SSH access per user to specific sources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael wrote:
[...]
  I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.

Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
5.0.0.5302 (latest version for AIX I am aware of).  There are also a
few linux boxes, mostly redhat and Ubuntu.

  We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled.  I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.

  For security reasons I need to only allow root ssh from the
management server only.

You can do this with the "Match" keyword. It's first-match, and it can take multiple criteria on a single line, which is a logical "and", and if you use it to set the allowed authentication methods you can achieve the effect you want.

For example, you could add this to the end of sshd_config, to allow root access from a single address with public-key authentication only:

# default settings above
Match User root Address 10.1.1.1
  PubkeyAuthentication yes
Match User root
  PubkeyAuthentication no
  PasswordAuthentication no
  # other auth methods here

  For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts.
[...]

You can apply the same method as above for non-root users. If you have the same set of rules you want to apply to a set of application users, you might want to use "Match Group" rather than "Match User", then stick the users into the appropriate group.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Hikes]     [KDE Users]     [Gnome Users]

  Powered by Linux