[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: Restricting SSH access per user to specific sources



I may be way off base, but have you checked your secure logs for PAM messages, such as pam_access ? I routinely use pam_access to control user/root access from certain clients. Just a thought... access.conf is good for root vs non-root access control, above/beyond just ssh.

On Mar 26, 2010, at 10:18 AM, Imran Javeed wrote:

The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root


 I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files.  I have also tried ~/.ssh/config to no avail.  As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.



#################################################################


Michael

What options did you use for AllowUsers in sshd_config?

From my experience, these should work

Imran


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx ] On Behalf Of Michael
Sent: 26 March 2010 06:19
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Restricting SSH access per user to specific sources

Hi

 My first request so please excuse any etiquette faux pax.

 I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.

Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
5.0.0.5302 (latest version for AIX I am aware of).  There are also a
few linux boxes, mostly redhat and Ubuntu.

 We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled.  I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.

 For security reasons I need to only allow root ssh from the
management server only.
 For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts.  All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific.  As TCP Wrapper is not used on the AIX
servers that is currently not an option and the configuration needs to
go through the various OpenSSH configs.

Example :

Mngt Server
App1 Server
App2 Server
App3 Server

- The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root


 I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files.  I have also tried ~/.ssh/config to no avail.  As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.

 I would appreciate any help!

R e g a r d s
M i c h a e l  L  G r i f f i n

Please consider the environment before printing this email

He who play in root,
          eventually kill tree.

*****************************************************
This email is issued by a VocaLink group company. It is confidential and intended for the exclusive use of the addressee only. You should not disclose its contents to any other person. If you are not the addressee (or responsible for delivery of the message to the addressee), please notify the originator immediately by return message and destroy the original message. The contents of this email will have no contractual effect unless it is otherwise agreed between a specific VocaLink group company and the recipient.

The VocaLink group companies include, among others: VocaLink Limited (Company No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87) which is registered in England and Wales at registered office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom.

The views and opinions expressed in this email may not reflect those of any member of the VocaLink group. This message and any attachments have been scanned for viruses prior to leaving the VocaLink group network; however, VocaLink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. The VocaLink group may monitor emails sent to and from the VocaLink group network.

This message has been checked for all email viruses by MessageLabs.
*************************************************************


[Home]     [Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Add to Google Powered by Linux