Restricting SSH access per user to specific sources



Hi

My first request so please excuse any etiquette faux pax.

I have been searching for a solution for a few weeks now and managed
to find one or two server wide examples & discussions but not any for
user specific restrictions.

Firstly, the setup :
Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version
5.0.0.5302 (latest version for AIX I am aware of). There are also a
few linux boxes, mostly redhat and Ubuntu.

We have a central management server running AIX 6100-03-01 which
runs distributed shell commands (dsh - essentially SSH's to all
servers and runs the specific command) but for this to work root ssh
needs to be enabled. I also have a number of application users that
need to be able to SSH/SCP/SFTP between servers.

For security reasons I need to only allow root ssh from the
management server only.
For audit purposes I need to ensure that application UserID's will
only accept connections from specific hosts. All this needs to be
done without impacting where the administrators can connect from so it
needs to be user specific. As TCP Wrapper is not used on the AIX
servers that is currently not an option and the configuration needs to
go through the various OpenSSH configs.

Example :

Mngt Server
App1 Server
App2 Server
App3 Server

- The App Servers allow root access from "Mngt Server" but deny root
access from everywhere else.
- The App Servers allow AppUserX access from App* Server and "Mngt
Server" but deny access from everywhere else.
- The administrators can connect to the servers from anywhere but not
as the AppUserX or root


I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config
files. I have also tried ~/.ssh/config to no avail. As I am pretty
much fumbling in the dark I may have been close to a solution and not
realised it but I simply can't seem to get user level access
restrictions to work.

I would appreciate any help!

R e g a r d s
M i c h a e l L G r i f f i n

Please consider the environment before printing this email

He who play in root,
eventually kill tree.



Relevant Pages

  • [Full-Disclosure] RFX Networks
    ... | in security and scalable server management on varying levels. ... | monitor to take action during situations of service failure. ... Got Root? ... Your Server login ID is: ...
    (Full-Disclosure)
  • RFX Networks/ RackAdmin.com ALERT
    ... below was posted to some security websites. ... | in security and scalable server management on varying levels. ... Got Root? ... Your Server login ID is: ...
    (comp.os.linux)
  • RFX NETWORKS ALERT
    ... below was posted to some security websites. ... | in security and scalable server management on varying levels. ... Got Root? ... Your Server login ID is: ...
    (alt.linux)
  • Solaris Sparc 9 12/3 Core ./installer failing due Java?
    ... system SUNWadmr System & Network Administration Root ... system SUNWapchd Apache Web Server Documentation ... system SUNWapchu Apache Web Server (usr) ... system SUNWaudd Audio Drivers ...
    (comp.unix.solaris)
  • core install of Solaris 9 (sparc) package list can be trimmed ?
    ... This is a server that will have very specific reasons ... system SUNWadmr System & Network Administration Root ... system SUNWeu8os American English/UTF-8 L10N For OS Environment User Files ... system R SUNWfcip Sun FCIP IP/ARP over FibreChannel Device Driver ...
    (comp.unix.solaris)