| View previous topic :: View next topic |
| Author |
Message |
bludger
Guru
Joined: 09 Apr 2003
Posts: 389
|
 Posted: Mon Dec 04, 2006 2:08 pm Post subject: Restricting ssh tunneling on a per-user basis |
 |
|
| Does anyone know of a way to configure openssh so that tunneling is restricted to certain users? |
|
| Back to top |
|
 |
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Mon Dec 04, 2006 3:45 pm Post subject: |
|
|
from the sshd_config man page ...
| Quote: |
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. `*' and `?' can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. |
but perhaps a more reasonable way to do ssh access confrol would be ...
| Quote: | AllowGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches one
of the patterns. `*' and `?' can be used as wildcards in the
patterns. Only group names are valid; a numerical group ID is
not recognized. By default, login is allowed for all groups.
|
then you can just add everyone to the ssh group or whatever you choose to name it.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
bludger
Guru
Joined: 09 Apr 2003
Posts: 389
|
| Posted: Mon Dec 04, 2006 4:57 pm Post subject: |
|
|
Thanks for your answer. What I would like to do however, is not just restrict access, but allow access to some users, without allowing them to tunnel, while allowing other users to tunnel.
Perhaps the only way to do this would be with a separate ssh demon (in a chroot env too). |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Mon Dec 04, 2006 5:18 pm Post subject: |
|
|
| Quote: | # Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server |
that's from the end of an old sshd_config i have.
it isn't documented in the man page, but as you can see you can probably match a user or group and allow certain settings for user/group you specify.
try it out! i bet it's just what you're looking for.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
bludger
Guru
Joined: 09 Apr 2003
Posts: 389
|
| Posted: Tue Dec 05, 2006 1:03 pm Post subject: |
|
|
sounds great, but doesn't seem to be implemented in my standard version of openssh. I have the following version and USE flags:
| Code: | emerge -pv openssh
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild U ] net-misc/openssh-4.4_p1-r6 [4.3_p2-r1] USE="kerberos pam tcpd -X% -X509 -chroot -hpn -ldap -libedit (-selinux) -skey -smartcard -static (-ipv6%*) (-sftplogging%)" 1,019 kB
|
|
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Tue Dec 05, 2006 6:21 pm Post subject: |
|
|
I don't think that's a problem for you:
| Quote: | davey ~ # ssh -v
OpenSSH_4.4p1, OpenSSL 0.9.7i 14 Oct 2005
davey ~ # sshd -v
sshd: illegal option -- v
OpenSSH_4.4p1, OpenSSL 0.9.7i 14 Oct 2005 |
perhaps yours is too old though. But i think the feature is more likely to be just not documented. It isnt' in all my /etc/ssh/sshd_config files, just an example in this one.
I tried it out - i can use the ForceCommand option in a Match User group to force my user to run 'w' on ssh login like this (it works!)
| Quote: | # Example of overriding settings on a per-user basis
Match User dan
ForceCommand w |
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
bludger
Guru
Joined: 09 Apr 2003
Posts: 389
|
| Posted: Thu Jan 25, 2007 4:13 pm Post subject: |
|
|
| I just upgraded to openssh 4.5_p1 and now the feature works. |
|
| Back to top |
|
|
|
Networking & Security
