HPE Community
Operating System - HP-UX
1828083 Members
2727 Online
109974 Solutions
New Discussion

ssh authentication on IP adress

 
SOLVED
Go to solution
Stojcevski Dejan
Regular Advisor

‎08-01-2006 01:23 AM

‎08-01-2006 01:23 AM

ssh authentication on IP adress

Hello to all,
I have installed SSH 2 on HP-UX 11.00. I want to configure the sshd to authenticate the sessions based on IP adress of the client (or fully qualified domain name). This means that I want sshd to accept requests only from certain hosts (IP adress/domain names) and nothing else!Is this configurable as HostBased Authentication methos in ssh? Can you tell me in short the necessary steps to configure this kind of authentication?
Thanks.
Carpe Diem
0 Kudos
9 REPLIES 9
TwoProc
Honored Contributor

‎08-01-2006 02:27 AM

‎08-01-2006 02:27 AM

Re: ssh authentication on IP adress

I think you'd have to use IPfilter for that. This would be more of a firewall approach (software wise) than a configuration of ssh itself. It works fine for the purpose that you're speaking of, except that you also need to exchange keys for the user that you're wanting to let in.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Mel Burslan
Honored Contributor

‎08-01-2006 02:27 AM

‎08-01-2006 02:27 AM

Re: ssh authentication on IP adress

I think what you are trying to accomplish is not in the scope of sshd configuration. You need to look into the use of iptables. A simple rule will allow you to enable or disable host/network based access to sshd. I know the principle, do not have the first hand experience as we do not use iptables, but trust our network guys do the filtering at the firewall level.

For iptables on linux and how you can configure ssh access restrictions, please see this page:

http://www.slackbook.org/html/security-host.html

hope it helps
________________________________
UNIX because I majored in cryptology...
0 Kudos
Stojcevski Dejan
Regular Advisor

‎08-01-2006 02:33 AM

‎08-01-2006 02:33 AM

Re: ssh authentication on IP adress

Ok. It seems that sshd can not filetr based on IP. However on HP-UX, pure telnet can be configured to accept connections from certain IP adresses (/var/adm/inetd.sec file). I just want the same thing with something more secure than pure telnet. If sshd can not do that what do you recommend (IPFilter is too robust to install it on a product machine and this kind of firewall is usually implemented in data network level)? Need simple and effective solution!
Carpe Diem
0 Kudos
Ivan Ferreira
Honored Contributor

‎08-01-2006 02:36 AM

‎08-01-2006 02:36 AM

Solution

Re: ssh authentication on IP adress

Use the AllowUsers

AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for users names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized.


By default, login is allowed for all users.

*** IMPORTANT ***

If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Stojcevski Dejan
Regular Advisor

‎08-01-2006 02:47 AM

‎08-01-2006 02:47 AM

Re: ssh authentication on IP adress

Can you tell me more about this key AllowUsers?Is this key is per authentication method or default for all methods - because in the sshd_config I have a number of directives of form PasswordAuthAllowUsers etc...? It is configurable in sshd_config file right?
Carpe Diem
0 Kudos
Stojcevski Dejan
Regular Advisor

‎08-01-2006 02:58 AM

‎08-01-2006 02:58 AM

Re: ssh authentication on IP adress

One more question: does this apply for secure ftp as well or not?
Carpe Diem
0 Kudos
Steven E. Protter
Exalted Contributor

‎08-01-2006 07:10 AM

‎08-01-2006 07:10 AM

Re: ssh authentication on IP adress

shalom,

ssh and sftp are part of openssh and use the exact same authentication method.

Whatever you configure for ssh will act the same way on sftp.


This question:
>>>
Can you tell me more about this key AllowUsers?Is this key is per authentication method or default for all methods - because in the sshd_config I have a number of directives of form PasswordAuthAllowUsers etc...? It is configurable in sshd_config file right?
>>>

I believe these methods are configurable in sshd_config or ssh_config, probably the former.

Few thoughts.

Be careful going wild with this, you want to be able to take a vacation some day and the next guy needs to be able to understand this.

This method would be a problem on the floating IP address of a cluster due to the MAC address checking features of openssh.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
David Woodroffe
Frequent Advisor

‎08-01-2006 01:22 PM

‎08-01-2006 01:22 PM

Re: ssh authentication on IP adress

I use /etc/hosts.allow and /etc/hosts.deny to control IP access for ssh.

In the hosts.allow file simply put
sshd:

In the hosts.deny file simply put
sshd:ALL

Only IP address 1 and 2 can access as far as I can determine. I'm running the software on HP-UX 11i v1 loaded from the HP software site (vers A.04.30).

Be careful you don't lock yourself out.
0 Kudos
Stojcevski Dejan
Regular Advisor

‎08-01-2006 11:17 PM

‎08-01-2006 11:17 PM

Re: ssh authentication on IP adress

I have found hte solution to this issue: that is AllowUsers directive in sshd_config file - it is simple and efective and it does the job I have hoped for. I still need to work out the rest of the problems in securing the platform (ssh will solve just telnet and ftp issues) but this is story for other thread. For now thanks a lot for responses. Once again I have found solution in just one day! Great forum.
Dejan.
Carpe Diem
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.