Settting up SSH access question

From: dompie (kdom_at_mail.mobistar.be)
Date: 06/23/04 

Date: 23 Jun 2004 05:51:58 -0700

Hi,

on all of our servers SSH is installed and configured. SSH is setup to
use only pub/priv keys, no password.

I have created a non-privileged account on each server. For this
account the 'authorized_keys' file contains 1 pub key for a specific
unix system.
The purpose is to have central system that we can use to fetch
information on all servers via SSH and via the cron. Thus this central
system contains the private key of the user which public key is in the
'authorized_keys' of the account I created on each server.
This works great (since the private key is on the central system, I
can put entries in the cron that use SSH to go on every server) but
this is also a security risk since the when the central system is
hacked, one could get on every system (albeit as a non privileged user
but still ...). I can harden the central system enough to limit the
chance of hacking.

However, what I want to prevent is that people copy the private of the
user on the central system over to their system and start accessing
all servers from their system. Therefore I would like to specify on
all the servers that the account I created can only be used from a
specific server.
I looked at host based authentication but this is not what I want
since it will authenticate the users only based upon the hosts from
where they are trying to access the system.
I would like to have the authentication based upon the pub/priv keys
AND specify the hosts that are allowed to connect as that specific
user to the servers.

Is this possible?

Any help much appreciated.

Kris

Relevant Pages

  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... The Application Servers are load balanced clustered, ... HostHeader names in IIS, it has a CNAME in DNS referencing ... Only account A has access to database DB-A ...
    (microsoft.public.inetserver.iis.security)
  • Re: Forest to Child -- Permissions
    ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ...
    (microsoft.public.windows.server.dns)
  • Re: Forest to Child -- Permissions
    ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ...
    (microsoft.public.windows.server.dns)
  • Re: SMS Heirachy
    ... I have also tried rebooting both servers after adding the compter accounts ... > try and setup a standard address when i select the drop down box i dont ... > account is a member of the sms_sitetosite group on SiteB? ... >> A. The address will use the sender, but having a sender is not enough. ...
    (microsoft.public.sms.setup)
  • Re: Finding out admin username
    ... configured in the Security Options on the servers: ... Network access: Do not allow anonymous enumeration of SAM accounts - Enabled ... The administrator account has a set SID no matter what you rename the ...
    (microsoft.public.win2000.security)