|
|
Subject:
using sshd_config to fine-tune remote login privs
Category: Computers > Security Asked by: destruktobot-ga List Price: $20.00 |
Posted:
20 Jul 2005 09:35 PDT
Expires: 19 Aug 2005 09:35 PDT Question ID: 545814 |
i require a combination of allowusers/denyusers directives that will effect the following: user FOO is allowed to login to this server from remote server BAR _only_. all other users may login to this server from any host. the closest i've gotten has been something like this: denyusers FOO@*.mydomain.com allowusers FOO@BAR.mydomain.com * {afaik, sshd_config does not support regexp, just * and ?} /var/log/messages indicates that FOO cannot log in, because that username is in the denyusers directive. i have verified that hostname BAR in lastlog and hostname BAR in sshd_config match. the server in question runs SLES 9 and OpenSSH_3.8p1 here are my stipulations: shosts.equiv and solutions other than sshd_config aren't acceptable for this task, sorry. recompiling ssh isn't an option. if the configuration that i desire is possible, please explain what i'm doing wrong and how to effect it. if it isn't possible, please explain why. thanks! |
|
Subject:
Re: using sshd_config to fine-tune remote login privs
Answered By: efn-ga on 20 Jul 2005 22:02 PDT Rated: |
Hi destruktobot, Sorry, what you want is not possible. You can get the desired effect for user FOO with the line AllowUsers FOO@BAR.mydomain.com This both allows FOO to log in from that host and forbids FOO from logging in from any other host. The problem is that then there is no way to let everyone else log in from anywhere. Once you have any AllowUsers line, all other access is blocked by default. So what you really need is a line that means AllowUsers anythingbut(FOO) Unfortunately, as you have seen, the syntax allowed for these lines is not flexible enough to express this meaning. You are correct that only the wildcard characters '?' and '*' are supported, and there is no way to compose a sequence of characters that will match any string but "FOO". Similarly, it can't be done with DenyUsers. As you have found, a matching DenyUsers line will block access even if there is also a matching AllowUsers line. So you would need a line that means DenyUsers FOO@anythingbut(BAR.mydomain.com) But as in the AllowUsers case, there is no way to get the "anythingbut" effect with only the '*' and '?' wildcard characters. References The manual page on sshd_config confirms that only the '*' and '?' wildcard characters are supported. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5 An article by Vincent Danen on "Optimizing OpenSSH" on the linsec.ca website says "Be aware when using DenyUsers and AllowUsers in combination; the DenyUsers will always have precedence." http://linsec.ca/syshardening/openssh.php Similarly, an article by Chris Wong on HP-UX Secure Shell says "If a user is restricted by any option, that user will not be granted access." http://newfdawg.com/SHP-SSHpart3.htm I hope this is a satisfactory answer to your question. If it's not clear enough, please ask for a clarification. Regards, --efn |
destruktobot-ga
rated this answer:
Thanks to EFN for the thorough answer. I had hoped for an undiscovered solution, but the lack of one is hardly the researcher's fault - at least no doubts and "what ifs" linger. |
|
Subject:
Re: using sshd_config to fine-tune remote login privs
From: bozo99-ga on 21 Jul 2005 12:18 PDT |
This steps outside your planned constraint of using only the config file but I thought it was worth a mention. If you are prepared to set FOO a custom shell that he cannot change it could test the value of SSH_CLIENT in the environment. If the value is satisfactory execute a proper shell, otherwise exit. |
If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you. |
Search Google Answers for |
Google Home - Answers FAQ - Terms of Service - Privacy Policy |