topic Re: SSH - Allowgroups - AllowUsers in Operating System - HP-UX

SSH - Allowgroups - AllowUsers

INCS Dept. — Wed, 08 Feb 2006 09:54:41 GMT

Hello,

I'm looking into the sshd_config file and have top make some changes. The changes I have to make is that certain users (e.g. admin's) are only allowed from a certain network segment. I looked into the sshd configuration an read that sshd only supports AllowUsers/DenyUsers. I figured out that AllowGroups/DenyGroups does work, but something like AllowGroups@xxx.xxx.xxx does not work.

Therefore, to allow a connection to a network segment and not to the remaining networks I have to configure the following:

DenyUsers admin1@10.10.10
DenyUsers admin1@10.10.11
DenyUsers admin1@10.10.12
DenyUsers admin2@10.10.10
.....etc

Administrativily this is a nightmare.

Does anyone have a better suggestion ?

Thanks,

INCS

Re: SSH - Allowgroups - AllowUsers

Steven E. Protter — Wed, 08 Feb 2006 10:04:34 GMT

Shalom INCS,

ssh processes /etc/profile

/etc/profile can be programmed to reject users from certain groups.

It won't stop sftp/scp, but this may not be an issue.

You might also want to bring up ipfilter if you wish to block certain hosts.

SEP

Re: SSH - Allowgroups - AllowUsers

Arunvijai_4 — Wed, 08 Feb 2006 10:28:40 GMT

Hi,

Why not using IPFilters for this ?

-Arun

Re: SSH - Allowgroups - AllowUsers

Florian Heigl (new acc) — Wed, 08 Feb 2006 11:02:21 GMT

Sorry to say, but the other replies won't get You anywhere, and neither will the sshd_conf in itself.

I think You could try something with PAM instead.

Re: SSH - Allowgroups - AllowUsers

Darrel Louis — Wed, 08 Feb 2006 11:57:34 GMT

Hi,

IPFilter is a good option.

You can also create hostbased authentication.
sshd_config:
HostbasedAuthentication yes

Have a central server(gateway server) where everybody login and from there start a ssh to the server.

Add the gateway server to /etc/opt/openssh/shosts.equiv
and depending on authentication methode add the server to the ssh_known_hosts.
ssh-keyscan -t rsa >>ssh_known_hosts

GoodLuck
Darrel

Re: SSH - Allowgroups - AllowUsers

Florian Heigl (new acc) — Wed, 08 Feb 2006 14:11:40 GMT

Actually...

did You try:

AllowGroup users@
AllowUsers admin1@
DenyUsers admin1@0.0.0.0

I have no clue if it works, but it would be great if it did.
If it does work, I'll take almost any bet HP won't support it, though.

Re: SSH - Allowgroups - AllowUsers

Alexander Skwar — Thu, 09 Feb 2006 02:34:23 GMT

You could also try to use 2 SSH daemons running on different ports. With something like ipfilters or xinetd you can control from which hosts are allowed to connect to a certain port.

Re: SSH - Allowgroups - AllowUsers

INCS Dept. — Thu, 09 Feb 2006 02:55:12 GMT

Florian,

The HP-UX implementation of SSH does not allow AllowGroups (read FAQ). I did try if it did and it does allow the AllowGroups option, but what I really like is a group and a network like AllowGroups@xxx.xxx.xxx or DenyGroups@xxx.xxx.xxx . If I try this the SSH daemon simply won't start. Bummer.

Bye,

INCS