Martin Čmelík
2011-Jun-30 11:15 UTC
Limit SSH access for users from defined source address
Hi all, let me describe my environment and problem. System is RHEL 5.6 with latest stable OpenSSH. In sshd_config is defined "AllowGroups sshusers" but I need limitation to some of users in group to have access only from defined IP address. As I know this can be setup in sshd_config only for AllowUsers, but users in group are changed so I must use allowgroups instead of allowusers. I have modified /etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_access.so accessfile=/etc/security/access-sshd.conf account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so and setup access file /etc/security/access-sshd.conf - : user1 : ALL EXCEPT 1.1.1.1 - : user2 : ALL EXCEPT 2.2.2.2 This setup works fine. I'm able to login from defined sources, but only via password authentication. When I use ssh keys I'm unable to login and in /var/log/secure is this log --attached-- .ssh directory and authorized_keys have permissions 600 I know that it is more related to PAM modules, but I hope that somebody of you can help me more then PAM developers. Thank you for any feedback! Best regards, ? Martin ?mel?k http://www.security-portal.cz http://www.securix.org Contact me: martin.cmelik at gmail.com Save a tree - kill a beaver
Benjamin SANS
2011-Jun-30 11:31 UTC
Limit SSH access for users from defined source address
Martin ?mel?k wrote:> Hi all, > > let me describe my environment and problem. > > System is RHEL 5.6 with latest stable OpenSSH. > > In sshd_config is defined "AllowGroups sshusers" but I need limitation > to some of users in group to have access only from defined IP address. > > As I know this can be setup in sshd_config only for AllowUsers, but > users in group are changed so I must use allowgroups instead of > allowusers. > > I have modified /etc/pam.d/sshd > > #%PAM-1.0 > auth include system-auth > account required pam_access.so accessfile=/etc/security/access-sshd.conf > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > and setup access file /etc/security/access-sshd.conf > > - : user1 : ALL EXCEPT 1.1.1.1 > - : user2 : ALL EXCEPT 2.2.2.2 > > This setup works fine. I'm able to login from defined sources, but > only via password authentication. > > When I use ssh keys I'm unable to login and in /var/log/secure is this logHi Martin, Maybe you could define a Match block like the following: Match Address x.x.x.0/y PubkeyAuthentication yes> > --attached-- > > .ssh directory and authorized_keys have permissions 600 > > I know that it is more related to PAM modules, but I hope that > somebody of you can help me more then PAM developers. > > Thank you for any feedback! > > Best regards, > > ? > Martin ?mel?k > > http://www.security-portal.cz > http://www.securix.org > Contact me: martin.cmelik at gmail.com > Save a tree - kill a beaver> _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devRegards, -- Benjamin SANS -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: Digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110630/3553aefa/attachment.bin>
Martin Čmelík
2011-Jun-30 11:36 UTC
Limit SSH access for users from defined source address
Hi Benjamin, Match Access is new feature in OpenSSH 5.1, but I have OpenSSH_4.3p2. If I wrote "latest stable openssh" I means latest stable in RHEL 5.6 Thank you ? Martin ?mel?k http://www.security-portal.cz http://www.securix.org Contact me: martin.cmelik at gmail.com Save a tree - kill a beaver 2011/6/30 Benjamin SANS <sans.benjamin at gmail.com>:> Martin ?mel?k wrote: >> Hi all, >> >> let me describe my environment and problem. >> >> System is RHEL 5.6 with latest stable OpenSSH. >> >> In sshd_config is defined "AllowGroups sshusers" but I need limitation >> to some of users in group to have access only from defined IP address. >> >> As I know this can be setup in sshd_config only for AllowUsers, but >> users in group are changed so I must use allowgroups instead of >> allowusers. >> >> I have modified /etc/pam.d/sshd >> >> #%PAM-1.0 >> auth ? ? ? include ? ? ?system-auth >> account ? ?required ? ? pam_access.so accessfile=/etc/security/access-sshd.conf >> account ? ?required ? ? pam_nologin.so >> account ? ?include ? ? ?system-auth >> password ? include ? ? ?system-auth >> session ? ?optional ? ? pam_keyinit.so force revoke >> session ? ?include ? ? ?system-auth >> session ? ?required ? ? pam_loginuid.so >> >> and setup access file /etc/security/access-sshd.conf >> >> - : user1 : ALL EXCEPT 1.1.1.1 >> - : user2 : ALL EXCEPT 2.2.2.2 >> >> This setup works fine. I'm able to login from defined sources, but >> only via password authentication. >> >> When I use ssh keys I'm unable to login and in /var/log/secure is this log > > Hi Martin, > > Maybe you could define a Match block like the following: > > Match Address x.x.x.0/y > ? ?PubkeyAuthentication yes > >> >> --attached-- >> >> .ssh directory and authorized_keys have permissions 600 >> >> I know that it is more related to PAM modules, but I hope that >> somebody of you can help me more then PAM developers. >> >> Thank you for any feedback! >> >> Best regards, >> >> ? >> Martin ?mel?k >> >> http://www.security-portal.cz >> http://www.securix.org >> Contact me: martin.cmelik at gmail.com >> Save a tree - kill a beaver > >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > Regards, > > -- > Benjamin SANS > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAEBAgAGBQJODF6fAAoJEHLbIppktU5GhvcH/1Q0EdGa5mS8ksRpX4pzAJR3 > BAz6lWYGJ8CVR/8EcVsvspWccmSvzSnTOHavo2pQvB2VA7nrdFrLD/Wcaq8BIyrv > WZnQ5ZjtcYM2BWFpY04HMyTRnQp2l6ghRcw6NsVskcS697iAdXr1snm98QohKBGo > UFPQ06IcQZln2oUxSHa6qntkahRW9Ob1+Wbxf+u1lPdOP5VUi5d/NOmznDbdg+w5 > b2ymANYBjD8UCG9Dp0CrlwVBEEDq7PuLKOWeiM/gXQBI9x6R9pX/fLBN9ZrvjfkI > xXgcW04hO1PetEYIMrMNZ7uMZJwKIwd/X/FGMtDDOKgmpdEc3ZUcvfq0A7JIEdI> =3Y7q > -----END PGP SIGNATURE----- > >
Maybe Matching Threads
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- protecting multiuser systems from bruteforce ssh attacks
- AllowUsers Change
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- id <username> - doesnt list all groups