Re: tcp wrappers - guru's?

Donny Jekels · ‎06-24-2004

I need to build a hosts.allow file to allow:

1) root to ssh from two hosts, and
2) still allow everyone else from anywhere to ssh to the host.

I looked in the documentation and it does not look as if this is possible.

any bright ideas out there?

"Vision, is the art of seeing the invisible"

Jeff Schussele · ‎06-24-2004

Hi Donny,

Well...it's do-able, but it's not the preferred way to do it.
First thing that would have to be done is convert SSH from a pure daemon to an on-demand process using the inetd.conf file.
So you'd have to pull it's startup out of /sbin/init.d & add /etc/service & /etc/inetd.conf entries.

From there it should be straight-forward.

But I would caution you *very* strongly to not allow direct root logins of any type - even SSH with key-pairs established. You lose a *lot* of auditing ability when root can login directly from anywhere. You're essentially reduced to chasing IPs as that's all you'll have without su/sudo logs to refer to.

My 2 cents,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Simon Hargrave · ‎06-24-2004

Probably better to configure this in your sshd2_config file rather than hosts.equiv.

You can set the PermitRootLogin parameter nopwd, which means that only key-pair authentication is allowed for root. If you then give the public keys only to the 2 hosts in question, this should do what you require?

Simon Hargrave · ‎06-24-2004

But yes also I agree as Jeff said, security-wise it's much better to deny root from everywhere.

Jairo Campana · ‎06-24-2004

1)PermitLoginroot in host1 and host2

PermitLoginroot no --->no login of root only user , before su - root
PermitLoginroot yes ---> login of root

2)use tcpwrapper

legionx

Donny Jekels · ‎06-24-2004

I gues it's a very debateable topic, and it was not intention with this posting. everyone has their own opinion about root login.

I can confirm that with PAM enabled you loose nothing.

Running SSH in inetd.conf is not the route we choose to go. We have millions of jobs running ssh/scp/rsync/tar/ through sshd 24x7x365.

Again, please no comments about roots ability to ssh!

"Vision, is the art of seeing the invisible"

Donny Jekels · ‎06-24-2004

Jairo,

Your discription is what I explained. This is what we are doing.

My question is how do you configure tcp_wrappers to allow user root from machine x to ssh into machine z?

"Vision, is the art of seeing the invisible"

Todd McDaniel_1 · ‎06-24-2004

Donny,

In your question you asked about root and ssh, they were responding to that I think.

As you may know if both hosts have SSH generated keys, then they should have no problem allowing access via ssh between those 2 boxes.

From what I can see if you have PAM then all you need is a properly built /etc/hosts.allow file...

So long as both boxes have SSH running, i dont see why all users won't be able to login via SSH... granted they have a normal password.

If they login via Windows system, then they need the authentication key on their pc/laptop as well.

Here is one of mine...

# cat /etc/hosts.allow
#all : all : banners=/usr/localcw/opt/sysguard/banners : allow
ftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : all : banners=/usr/localcw/opt/sysguard/banners : allow
tftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
logind : all : banners=/usr/localcw/opt/sysguard/banners : allow
rlogind : all : banners=/usr/localcw/opt/sysguard/banners : allow
remshd: all : banners=/usr/localcw/opt/sysguard/banners : allow
sidftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
rexecd : all : banners=/usr/localcw/opt/sysguard/banners : allow
sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow

Unix, the other white meat.

Donny Jekels · ‎06-24-2004

Todd,

There is no reason why both boxes need to run sshd. However all our boxes do.

ssh client connects to sshd

Also, pam is used for authentication and logging, in adding to ssh_keys.

My question is how to tell tcp_wrappers to read the login id from the remote host trying to come over with an ssh connection.

From what I have investigated, this is not possible. Unless any tcp wrappers guru can tell me otherwise.

"Vision, is the art of seeing the invisible"

Todd McDaniel_1 · ‎06-24-2004

Maybe I misunderstand but the man page shows this:

ssh [-l login_name] hostname

I just tried it with 2 of my boxes and it seems to work.

I dont have Pams running though...

Unix, the other white meat.

Donny Jekels · ‎06-24-2004

todd,

you are correct, you can login with any user to another host with ssh -l remote, or even ssh root@remote

this is not the problem.

I want to lock where root can login from trough ssh and tcp wrappers.

"Vision, is the art of seeing the invisible"

RAC_1 · ‎06-24-2004

Without, tcp wrappers, you can always put code in /etc/profile and $HOME/.profile to check where it is coming from and what uid is and then grant/deny access.

Based on tcp wrappers, the sshd needs to run through /etc/inetd.conf.

Anil

There is no substitute to HARDWORK

Donny Jekels · ‎06-24-2004

RAC,

great idea. we could add an entry in /etc/profile to check if the user is root and the SSH_CLIENT is same then allow, else drop.

sweeeerttttt

"Vision, is the art of seeing the invisible"

Todd McDaniel_1 · ‎06-24-2004

Okay, I understand now...

You want to restrict root to only 2 boxes... via ssh...

Here is a great doc that you can use to restrict access with...

http://ezine.daemonnews.org/200206/hosts_allow.html

The option i think will help you most is

spawn (command(s)):
Generates a new process that will run the command(s) given, but the spawn commands themselves will not allow or deny the connection, so you must have either " : allow" or " : deny" at the end of the rule in order to make the rule truly effective.

This will allow you to write a script to filter out logins to see if it is a root or other and check the hostname...

If not I am sure something else on the page can give you an idea...

Unix, the other white meat.

Donny Jekels · ‎06-24-2004

great, thanks.

not too difficult to understand.

"Vision, is the art of seeing the invisible"

Ancelmo Rodriguez Parra · ‎06-25-2004

perhaps this can help (from the sshd_config man page:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. `*' and `?' can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: tcp wrappers - guru's?

tcp wrappers - guru's?