Hello, does anybody know how to achieve the following with SSH... a) accept RSA authentication for all but root from any IP b) accept RSA authentication for root from a couple IPs/Netmasks c) accept password authentication for all but root from a dozen Netmasks d) accept password authentication for root from 3 local netmasks only ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet... Cheers, MaZe.
I think you can accomplish some of what you want using TCP Wrappers. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tcpwrappers-access.html I don't know how you could do a-d at once though. Maciej ?enczykowski wrote:> Hello, > > does anybody know how to achieve the following with SSH... > > a) accept RSA authentication for all but root from any IP > b) accept RSA authentication for root from a couple IPs/Netmasks > c) accept password authentication for all but root from a dozen Netmasks > d) accept password authentication for root from 3 local netmasks only > > ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet... > > Cheers, > MaZe. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
On Tue, 2005-31-05 at 11:45 +0200, Maciej ?enczykowski wrote:> a) accept RSA authentication for all but root from any IP > b) accept RSA authentication for root from a couple IPs/Netmasks > c) accept password authentication for all but root from a dozen Netmasks > d) accept password authentication for root from 3 local netmasks only > > ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...That should all be possible by adding the appropriate parameters in the /etc/ssh/sshd_config file. Also read the sshd_config man page. HTH, Ranbir -- Kanwar Ranbir Sandhu Systems Aligned Inc. www.systemsaligned.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, May 31, 2005 at 11:45:44AM +0200, Maciej ?enczykowski wrote:> Hello, > > does anybody know how to achieve the following with SSH... > > a) accept RSA authentication for all but root from any IP > b) accept RSA authentication for root from a couple IPs/Netmasks > c) accept password authentication for all but root from a dozen Netmasks > d) accept password authentication for root from 3 local netmasks only > > ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...I don't think you can do all of that with just 1 instance of sshd. You can, however, have more than one instance running, and use iptables to redirect the connections based on the source IP address to the correct instance (each one with a different port and config file). Since sshd's footprint is very small, that should have no nasty side effects. []s - -- Rodrigo Barbosa <rodrigob at suespammers.org> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCnJw3pdyWzQ5b5ckRAvoNAJ9ZV7W738hSbNIn7shakGQX+1OASQCdG5me B/eP7ugGgdEg7m1SxAjiuCk=bkV9 -----END PGP SIGNATURE-----
On Tue, 2005-05-31 at 11:45 +0200, Maciej ?enczykowski wrote:> Hello, > > does anybody know how to achieve the following with SSH... > > a) accept RSA authentication for all but root from any IP > b) accept RSA authentication for root from a couple IPs/Netmasks > c) accept password authentication for all but root from a dozen Netmasks > d) accept password authentication for root from 3 local netmasks only > > ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...SSH.com's ssh server (commercial/non-commercial versions) does all that. ftp://ftp.ssh.com/pub/ssh/ -Bruno