Mailing List Archive

The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root


I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.



#################################################################


Michael

What options did you use for AllowUsers in sshd_config?

From my experience, these should work

Imran


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Michael
Sent: 26 March 2010 06:19
To: secureshell@securityfocus.com
Subject: Restricting SSH access per user to specific sources

Hi

My first request so please excuse any etiquette faux pax.

I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.

Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
5.0.0.5302 (latest version for AIX I am aware of). There are also a
few linux boxes, mostly redhat and Ubuntu.

We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled. I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.

For security reasons I need to only allow root ssh from the
management server only.
For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts. All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific. As TCP Wrapper is not used on the AIX
servers that is currently not an option and the configuration needs to
go through the various OpenSSH configs.

Example :

Mngt Server
App1 Server
App2 Server
App3 Server

- The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root


I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.

I would appreciate any help!

R e g a r d s
M i c h a e l L G r i f f i n

Please consider the environment before printing this email

He who play in root,
eventually kill tree.

*****************************************************
This email is issued by a VocaLink group company. It is confidential and intended for the exclusive use of the addressee only. You should not disclose its contents to any other person. If you are not the addressee (or responsible for delivery of the message to the addressee), please notify the originator immediately by return message and destroy the original message. The contents of this email will have no contractual effect unless it is otherwise agreed between a specific VocaLink group company and the recipient.

The VocaLink group companies include, among others: VocaLink Limited (Company No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87) which is registered in England and Wales at registered office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom.

The views and opinions expressed in this email may not reflect those of any member of the VocaLink group. This message and any attachments have been scanned for viruses prior to leaving the VocaLink group network; however, VocaLink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. The VocaLink group may monitor emails sent to and from the VocaLink group network.

This message has been checked for all email viruses by MessageLabs.
*************************************************************

On Fri, March 26, 2010 02:19, Michael wrote:
>
>
> We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled. I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.
>
> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts. All this needs to be
> done without impacting where the administrators can connect from so
> it needs to be user specific. As TCP Wrapper is not used on the AIX
> servers that is currently not an option and the configuration needs
> to go through the various OpenSSH configs.
>
> Example :
>
> Mngt Server
> App1 Server
> App2 Server
> App3 Server
>
> - The App Servers allow root access from "Mngt Server" but deny root
> access from everywhere else.
> - The App Servers allow AppUserX access from App* Server and "Mngt
> Server" but deny access from everywhere else.
> - The administrators can connect to the servers from anywhere but
> not as the AppUserX or root
>
>
> I have tried the global /etc/ssh/ssh_config and
> /etc/ssh/sshd_config
> files. I have also tried ~/.ssh/config to no avail. As I am pretty
> much fumbling in the dark I may have been close to a solution and
> not realised it but I simply can't seem to get user level access
> restrictions to work.
>


I am not convinced that I fully understand what you are looking for
but on the off chance that I do then here are my suggestions:

1. Generate root's user keys (ssh-keygen) on each host; iff they do
not already exist, and they should exist so check for them
thoroughly.

2. Add root's public user key from the Mngt server host to
/root/.ssh/authorized_keys2 on each of the controlled hosts.

3. Allow RSA/DSA (SSH 2) authentication.

4. Disallow root logins using passwords on all the servers (or all
but a single logon server if promiscuous access is required).

5. As root, connect from the Mngt server to each target host and add
the target host to root's known_hosts file.


That will restrict root access on the App hosts to connections
originating from ssh key authorized hosts and does away with the
possibility of compromised passwords in a single stroke.

A similar arrangement can be made for specific userids by generating
user keys on each host requiring access and appropriately
configuring ~/.ssh/authorized_keys2 for that userid on the target
machines.

I use this system for running rsync over ssh between servers where
root access is required. However, since root is just a userid the
same technique should work for any other user. You just have to
generate and distribute each user's keys to the target hosts each
time a host changes.

Administrative users can either adopt the same technique for their
personal workstations or retain password access to their shell
accounts on the target machines.

Alternatively, you could have a single logon host that permits
password authenticated logons for all known users (except root of
course), but requires su to obtain root access on that machine and
thereafter uses the RSA/DSA key system to allow restricted ssh
access to the Mngt server as root. From that server the rest of the
farm is reached using the same technique. This has the added
benefit of identifying exactly which userid was acting as root at
any given time.

1. password ssh non-privileged user to public logon host
2. su to desired administrative or superuser ID on logon host
3. as assumed userid ssh via RSA/DSA authentication to desired hosts.


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

On Fri, 26 Mar 2010, Michael wrote:
> ... We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled.

When sudo is enabled and with a properly configured sudoers file, that
risk is not necessary to take and root login can be turned off. Run the
programs manually with -vvv appended to the ssh client's arguments to see
exactly what is being sent to the server and then the correct regex can be
added to sudoers. Then a dedicated account can be used to limit access
appropriately.

> I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.

That hole can be closed. See above. Later, DNSSEC should be used if it
is not already so that there is a greater chance that the machine calling
itself the management server really is the management server.

> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts. All this needs to be
> done without impacting where the administrators can connect from so it
> needs to be user specific...

If you can, upgrade to 5.3p or wait a few days and upgrade to 5.5p

One way could be via the keys used to log in. Starting with 5.1 sshd
allows CIDR matching in ~/.ssh/authorized_key [1] with a fallback to
regular pattern matching.

Even simpler would be to use the Match directive in sshd_config to apply
restrictions to different groups of users. CIDR address masks can be
added or individual addresses:

MaxAuthTries 0

Match Group maintainers
MaxAuthTries 6

Match Group frmmgtsvr, Address 192.168.0.100
MaxAuthTries 6

Match Group appusers, Address 192.168.0.0/24
MaxAuthTries 6
PasswordAuthentication No

The first match to succeed is used.

Regards,
/Lars Nooden

[1] http://www.openssh.org/txt/release-5.1

Michael wrote:
[...]
> I have been searching for a solution for a few weeks now and managed
> to find one or two server wide examples & discussions but not any for
> user specific restrictions.
>
> Firstly, the setup :
> Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
> 5.0.0.5302 (latest version for AIX I am aware of). There are also a
> few linux boxes, mostly redhat and Ubuntu.
>
> We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled. I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.

You can do this with the "Match" keyword. It's first-match, and it can
take multiple criteria on a single line, which is a logical "and", and
if you use it to set the allowed authentication methods you can achieve
the effect you want.

For example, you could add this to the end of sshd_config, to allow root
access from a single address with public-key authentication only:

# default settings above
Match User root Address 10.1.1.1
PubkeyAuthentication yes
Match User root
PubkeyAuthentication no
PasswordAuthentication no
# other auth methods here

> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts.
[...]

You can apply the same method as above for non-root users. If you have
the same set of rules you want to apply to a set of application users,
you might want to use "Match Group" rather than "Match User", then stick
the users into the appropriate group.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

I may be way off base, but have you checked your secure logs for PAM
messages, such as pam_access ?
I routinely use pam_access to control user/root access from certain
clients. Just a thought...
access.conf is good for root vs non-root access control, above/beyond
just ssh.

On Mar 26, 2010, at 10:18 AM, Imran Javeed wrote:

> The App Servers allow root access from "Mngt Server" but deny root
> access from everywhere else.
> - The App Servers allow AppUserX access from App* Server and "Mngt
> Server" but deny access from everywhere else.
> - The administrators can connect to the servers from anywhere but not
> as the AppUserX or root
>
>
> I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
> files. I have also tried ~/.ssh/config to no avail. As I am pretty
> much fumbling in the dark I may have been close to a solution and not
> realised it but I simply can't seem to get user level access
> restrictions to work.
>
>
>
> #################################################################
>
>
> Michael
>
> What options did you use for AllowUsers in sshd_config?
>
> From my experience, these should work
>
> Imran
>
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com
> ] On Behalf Of Michael
> Sent: 26 March 2010 06:19
> To: secureshell@securityfocus.com
> Subject: Restricting SSH access per user to specific sources
>
> Hi
>
> My first request so please excuse any etiquette faux pax.
>
> I have been searching for a solution for a few weeks now and managed
> to find one or two server wide examples & discussions but not any for
> user specific restrictions.
>
> Firstly, the setup :
> Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
> 5.0.0.5302 (latest version for AIX I am aware of). There are also a
> few linux boxes, mostly redhat and Ubuntu.
>
> We have a central management server running AIX 6100-03-01 which
> runs distributed shell commands (dsh - essentially SSH's to all
> servers and runs the specific command) but for this to work root ssh
> needs to be enabled. I also have a number of application users that
> need to be able to SSH/SCP/SFTP between servers.
>
> For security reasons I need to only allow root ssh from the
> management server only.
> For audit purposes I need to ensure that application UserID's will
> only accept connections from specific hosts. All this needs to be
> done without impacting where the administrators can connect from so it
> needs to be user specific. As TCP Wrapper is not used on the AIX
> servers that is currently not an option and the configuration needs to
> go through the various OpenSSH configs.
>
> Example :
>
> Mngt Server
> App1 Server
> App2 Server
> App3 Server
>
> - The App Servers allow root access from "Mngt Server" but deny root
> access from everywhere else.
> - The App Servers allow AppUserX access from App* Server and "Mngt
> Server" but deny access from everywhere else.
> - The administrators can connect to the servers from anywhere but not
> as the AppUserX or root
>
>
> I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
> files. I have also tried ~/.ssh/config to no avail. As I am pretty
> much fumbling in the dark I may have been close to a solution and not
> realised it but I simply can't seem to get user level access
> restrictions to work.
>
> I would appreciate any help!
>
> R e g a r d s
> M i c h a e l L G r i f f i n
>
> Please consider the environment before printing this email
>
> He who play in root,
> eventually kill tree.
>
> *****************************************************
> This email is issued by a VocaLink group company. It is confidential
> and intended for the exclusive use of the addressee only. You should
> not disclose its contents to any other person. If you are not the
> addressee (or responsible for delivery of the message to the
> addressee), please notify the originator immediately by return
> message and destroy the original message. The contents of this email
> will have no contractual effect unless it is otherwise agreed
> between a specific VocaLink group company and the recipient.
>
> The VocaLink group companies include, among others: VocaLink Limited
> (Company No 06119048, VAT No. 907 9619 87) which is registered in
> England and Wales at registered office Drake House, Homestead Road,
> Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no
> 1023742, VAT No. 907 9619 87) which is registered in England and
> Wales at registered office Drake House, Three Rivers Court,
> Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United
> Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT
> No. 907 9619 87) which is registered in England and Wales at
> registered office Arundel House, 1 Liverpool Gardens, Worthing, West
> Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036,
> VAT No. 907 9619 87) which is registered in England and Wales at
> registered office Drake House, Homestead Road, Rickmansworth, WD3
> 1FX. United Kingdom.
>
> The views and opinions expressed in this email may not reflect those
> of any member of the VocaLink group. This message and any
> attachments have been scanned for viruses prior to leaving the
> VocaLink group network; however, VocaLink does not guarantee the
> security of this message and will not be responsible for any damages
> arising as a result of any virus being passed on or arising from any
> alteration of this message by a third party. The VocaLink group may
> monitor emails sent to and from the VocaLink group network.
>
> This message has been checked for all email viruses by MessageLabs.
> *************************************************************