| View previous topic :: View next topic |
| Author |
Message |
Biffen
n00b
Joined: 23 Nov 2004
Posts: 32
|
 Posted: Fri Feb 18, 2005 9:09 am Post subject: SSH deny/allow users per host/ip |
 |
|
Hi!
I have a question about ssh (openssh)
Is it possible to deny users login from all ip/hosts but a allow them login from specific ip/host? Or only allow user to access if connecting from specified host.
Here is my example:
Customer1 should have access to only one account, only sftp (using scponly shell). I want to deny them from be able to connect with other users.
On the other side, from my 192.68.0 I want to be able to connect till all accounts, includeing the Customer sftp account.
Regards,
Biffen |
|
| Back to top |
|
 |
seank
l33t
Joined: 08 Jul 2004
Posts: 686
|
| Posted: Fri Feb 18, 2005 10:21 am Post subject: |
|
|
| Why not just do this with your firewall (you have one, right?)? |
|
| Back to top |
|
|
cselkirk
Apprentice
Joined: 09 Jun 2003
Posts: 199
Location: NL
|
| Posted: Fri Feb 18, 2005 12:06 pm Post subject: |
|
|
Your openssh should have support for tcpwrappers (USE="+tcpd" .. which is default). So, you can use tcpwrappers to allow/deny based on hostname/service.
HTH
_________________
cn=cselkirk,dc=xs4all,dc=nl |
|
| Back to top |
|
|
Paulten
Apprentice
Joined: 28 Mar 2003
Posts: 257
Location: Sykkylven, Norway
|
| Posted: Fri Feb 18, 2005 12:50 pm Post subject: |
|
|
this may is not as advanced as the thing you describe you want, worth mentioning maybe :
/etc/hosts.allow :
sshd : x.x.x.x : allow
sshd : x.x.x.x : allow
sshd : ALL : deny
_________________
Homepage : http://paul.kde.no Jabber ID : tenfjord@jabber.org
"Dei levde som dyr. Dei verken røykte eller drakk" -Ukjent |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Fri Feb 18, 2005 3:16 pm Post subject: |
|
|
I'm not sure, but I think he means it like this:
IP 1 should be able to connect to the SSH server, but only be able to login to user 1
IP 2 ..... user 2
IP-range 3 ... ALL users
So not just restrict certain IP's (or restrict all and allow certain), but restrict user/IP-pairs.
I know a way to do it, is by using keys: you can tell in the authorized_keys that the key is only valid from certain IP's...
not sure how to do it with passwords |
|
| Back to top |
|
|
Biffen
n00b
Joined: 23 Nov 2004
Posts: 32
|
| Posted: Fri Feb 18, 2005 3:49 pm Post subject: |
|
|
| sean_micken wrote: | | Why not just do this with your firewall (you have one, right?)? |
Well, I ment deny/allow user login access based on what host connecting from.  |
|
| Back to top |
|
|
Biffen
n00b
Joined: 23 Nov 2004
Posts: 32
|
| Posted: Fri Feb 18, 2005 3:50 pm Post subject: |
|
|
| cselkirk wrote: | Your openssh should have support for tcpwrappers (USE="+tcpd" .. which is default). So, you can use tcpwrappers to allow/deny based on hostname/service.
HTH |
I have looked into that but cant get it right, mabe you know some giudes? |
|
| Back to top |
|
|
Biffen
n00b
Joined: 23 Nov 2004
Posts: 32
|
| Posted: Fri Feb 18, 2005 3:52 pm Post subject: |
|
|
| Paulten wrote: | this may is not as advanced as the thing you describe you want, worth mentioning maybe :
/etc/hosts.allow :
sshd : x.x.x.x : allow
sshd : x.x.x.x : allow
sshd : ALL : deny |
As I sad, login access based on what host connecting from.  |
|
| Back to top |
|
|
Biffen
n00b
Joined: 23 Nov 2004
Posts: 32
|
| Posted: Fri Feb 18, 2005 3:58 pm Post subject: |
|
|
| nielchiano wrote: | I'm not sure, but I think he means it like this:
IP 1 should be able to connect to the SSH server, but only be able to login to user 1
IP 2 ..... user 2
IP-range 3 ... ALL users
So not just restrict certain IP's (or restrict all and allow certain), but restrict user/IP-pairs.
I know a way to do it, is by using keys: you can tell in the authorized_keys that the key is only valid from certain IP's...
not sure how to do it with passwords |
Yes, mabe I was abit unclear when asking
This is what I want to get:
from internet, open fw for 1 host (customer1)
in ssh only allow him to login to specific account (in this case, an only sftp account, using scponly shell)
from my internal network, all hosts have access to any accounts. (or based on hosts connecting from)
---
Ok, mabe its possible if I use authorized_keys? Do you know any guide on this? |
|
| Back to top |
|
|
spb
Retired Dev
Joined: 02 Jan 2004
Posts: 2135
Location: Cambridge, UK
|
| Posted: Fri Feb 18, 2005 4:49 pm Post subject: |
|
|
| man sshd_config wrote: | AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. `*' and `?' can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. |
Looks like it may be helpful. |
|
| Back to top |
|
|
Biffen
n00b
Joined: 23 Nov 2004
Posts: 32
|
| Posted: Mon Feb 21, 2005 10:30 am Post subject: |
|
|
| spb wrote: | | man sshd_config wrote: | AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. `*' and `?' can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. |
Looks like it may be helpful. |
Yes I tried to get it to work, but I havent had any luck yet. I tried sevral configurations. Login is only possible if not using any hosts.allow/hosts.deny at all or only if host is enterd in hosts.allow. If I try to configure any AllowUsers/DenyUsers sshd just respond to my hosts.allow/hosts.deny configurations (if not using them all users/hosts all allowed to login)
Shuldnt this be working?
hosts.deny
ALL: ALL
hosts.allow
192.168.0.40 192.168.0.50
in sshd_config
AllowUsers myuser@192.168.0.40
DenyUsers myuser@192.168.0.50
myuser is only allowed to login from 192.168.0.40, any other users are allowed from both hosts, no other hosts are allowed at all.
- - -
If I try login, both hosts is allowed to log in as myuser. :/ |
|
| Back to top |
|
|
gcasillo
l33t
Joined: 23 Sep 2003
Posts: 739
Location: Cincinnati, Ohio, USA
|
| Posted: Tue Mar 01, 2005 9:42 pm Post subject: |
|
|
Just a friendly reminder to those using the "AllowUsers" syntax in their sshd_config files: remember to prepend the username to the IP address. Otherwise, nobody gets in. 
So can I use a wildcard with AllowUsers to allow _all_ users from a range of IP addresses? For example:
| Code: | | AllowUsers *@192.168.0.* |
Will that work I wonder? |
|
| Back to top |
|
|
|
Networking & Security
