HPE Community
Operating System - HP-UX
1821981 Members
3124 Online
109638 Solutions
New Discussion юеВ

SSH - Allowgroups - AllowUsers

 
INCS Dept.
Frequent Advisor

тАО02-08-2006 01:54 AM

тАО02-08-2006 01:54 AM

SSH - Allowgroups - AllowUsers

Hello,

I'm looking into the sshd_config file and have top make some changes. The changes I have to make is that certain users (e.g. admin's) are only allowed from a certain network segment. I looked into the sshd configuration an read that sshd only supports AllowUsers/DenyUsers. I figured out that AllowGroups/DenyGroups does work, but something like AllowGroups@xxx.xxx.xxx does not work.

Therefore, to allow a connection to a network segment and not to the remaining networks I have to configure the following:

DenyUsers admin1@10.10.10
DenyUsers admin1@10.10.11
DenyUsers admin1@10.10.12
DenyUsers admin2@10.10.10
.....etc

Administrativily this is a nightmare.

Does anyone have a better suggestion ?

Thanks,

INCS


0 Kudos
Reply
7 REPLIES 7
Steven E. Protter
Exalted Contributor

тАО02-08-2006 02:04 AM

тАО02-08-2006 02:04 AM

Re: SSH - Allowgroups - AllowUsers

Shalom INCS,

ssh processes /etc/profile

/etc/profile can be programmed to reject users from certain groups.

It won't stop sftp/scp, but this may not be an issue.

You might also want to bring up ipfilter if you wish to block certain hosts.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Arunvijai_4
Honored Contributor

тАО02-08-2006 02:28 AM

тАО02-08-2006 02:28 AM

Re: SSH - Allowgroups - AllowUsers

Hi,

Why not using IPFilters for this ?

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

тАО02-08-2006 03:02 AM

тАО02-08-2006 03:02 AM

Re: SSH - Allowgroups - AllowUsers

Sorry to say, but the other replies won't get You anywhere, and neither will the sshd_conf in itself.

I think You could try something with PAM instead.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Darrel Louis
Honored Contributor

тАО02-08-2006 03:57 AM

тАО02-08-2006 03:57 AM

Re: SSH - Allowgroups - AllowUsers

Hi,

IPFilter is a good option.

You can also create hostbased authentication.
sshd_config:
HostbasedAuthentication yes

Have a central server(gateway server) where everybody login and from there start a ssh to the server.

Add the gateway server to /etc/opt/openssh/shosts.equiv
and depending on authentication methode add the server to the ssh_known_hosts.
ssh-keyscan -t rsa >>ssh_known_hosts

GoodLuck
Darrel
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

тАО02-08-2006 06:11 AM

тАО02-08-2006 06:11 AM

Re: SSH - Allowgroups - AllowUsers

Actually...

did You try:

AllowGroup users@
AllowUsers admin1@
DenyUsers admin1@0.0.0.0

I have no clue if it works, but it would be great if it did.
If it does work, I'll take almost any bet HP won't support it, though.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Alexander Skwar
Frequent Advisor

тАО02-08-2006 06:34 PM

тАО02-08-2006 06:34 PM

Re: SSH - Allowgroups - AllowUsers

You could also try to use 2 SSH daemons running on different ports. With something like ipfilters or xinetd you can control from which hosts are allowed to connect to a certain port.
0 Kudos
Reply
INCS Dept.
Frequent Advisor

тАО02-08-2006 06:55 PM

тАО02-08-2006 06:55 PM

Re: SSH - Allowgroups - AllowUsers

Florian,

The HP-UX implementation of SSH does not allow AllowGroups (read FAQ). I did try if it did and it does allow the AllowGroups option, but what I really like is a group and a network like AllowGroups@xxx.xxx.xxx or DenyGroups@xxx.xxx.xxx . If I try this the SSH daemon simply won't start. Bummer.

Bye,

INCS
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.