Re: Question restricting ssh access for some users only

From: Mark Johnston (mjohnston_at_skyweb.ca)
Date: 10/07/04

  • Next message: Matthew Seaman: "Re: Question restricting ssh access for some users only"
    To: Mark Skurzynski <mark@lomag.net>, freebsd-security@freebsd.org
    Date: Thu, 7 Oct 2004 14:10:31 -0500
    
    

    Mark Ogden <ogden@eng.utah.edu> wrote:
    > Mark Skurzynski on Thu, Oct 07, 2004 at 02:50:49PM -0400 wrote:
    > > I normally don't reply here however the simple solution is to run a 2nd
    > > instance of sshd on any random port you choose, ie. "sshd -f
    > > /etc/ssh/sshd_config_private" or whatever you choose. You could then
    > > easily firewall that port and only allow specific IP's to connnect.
    >
    > Yes, that was our second idea. But we feel theres got to be a better
    > way.

    Seems appropriate that a third Mark should chip in here: there is. You can
    use ~/.ssh/authorized_keys to add restrictions, one of which is "from":

         from="pattern-list"
                 Specifies that in addition to public key authentication, the
                 canonical name of the remote host must be present in the comma-
                 separated list of patterns (`*' and `'? serve as wildcards).
                 The list may also contain patterns negated by prefixing them with
                 `'!; if the canonical host name matches a negated pattern, the
                 key is not accepted. The purpose of this option is to optionally
                 increase security: public key authentication by itself does not
                 trust the network or name servers or anything (but the key); how-
                 ever, if somebody somehow steals the key, the key permits an
                 intruder to log in from anywhere in the world. This additional
                 option makes using a stolen key more difficult (name servers
                 and/or routers would have to be compromised in addition to just
                 the key).

    Apply that to the only key you allow to log in for root, and then set
    PermitRootLogin to "without-password", heeding the warning in sshd_config(5)
    about ChallengeResponseAuthentication.

    I would still encourage you to look at Per Engelbrecht's sudo suggestion; you
    will very likely want the logging that it provides. However, you should be
    able to do exactly what you want with this.

    Mark
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Matthew Seaman: "Re: Question restricting ssh access for some users only"

    Relevant Pages

    • RE: Duplicate phantom object in GAL
      ... It only can be found when connecting using GC port 3268, ... name: Mark de Bay ... "Mark de Bay". ... The email of the phantom object is different. ...
      (microsoft.public.exchange.admin)
    • Re: 16F628 Interrupt problem - help!
      ... >> Thanks for the reply Mark. ... >> slot encoder wheel). ... > the value of an ouput port. ... > heavily loaded pins, or in the case of not allowing enough settling ...
      (sci.electronics.design)
    • Re: Telnet to port 25
      ... Thank you Mark for a fast reply, but that article doesn't apply to us. ... clients can connect fine to outlook. ... it was the client used to telnet that had Mc Afee blocking ... port 25, as soon as I disabled, it woks. ...
      (microsoft.public.exchange.admin)
    • Re: Multiple encoding sessions on same machine
      ... I did test port 8080 again and to no avail ... Mark ... >>> Through some investigation on MS web site, I found out the Windows Media ... >>> different port on the Windows Media encoder it would not work. ...
      (microsoft.public.windowsmedia.encoder)
    • Re: Print Job Redirecting
      ... The physical print devices are associated with the "Port" objects, ... If you add a check mark to the Enable printer Pooling on ...
      (microsoft.public.windowsxp.print_fax)