LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   [SSH] User Disallow from all hosts except one (https://www.linuxquestions.org/questions/linux-newbie-8/%5Bssh%5D-user-disallow-from-all-hosts-except-one-874539/)

Fracker 04-12-2011 06:08 AM
[SSH] User Disallow from all hosts except one
 
Hi,

I have a requirement to implement SSH Services in a way, oracle user should be disallowed from everywhere other then one host. While no restrictions for other users.

I worked with DenyUsers, but it disallow oracle logins from all hosts.

acid_kewpie 04-12-2011 08:13 AM
I would *strongly* suggest that you don't deal with this at ssh level, but use tcpwrappers by editing /etc/hosts.allow and /etc/hosts.deny.

so in hosts.allow:
Code:
sshd : oracle@host
And in hosts.deny:
Code:
sshd : oracle@*
should, AFAIK, only allow oracle from that one host within ssh but not affect anything else whatsoever. Plenty of flexibility in tcpwrappers if you want it, but I think that does what you ask for.

Fracker 04-12-2011 11:48 PM
Thanks, I have just tried your suggestion. After adding the entries i don't see any ristriction. I also restarted the network service, ssh service but nothing happened. Do i need to restart something else as well?

chrism01 04-13-2011 12:02 AM
acid_kewpie's suggestion should work.
Can you post your hosts.allow & hosts.deny files and sshd_config?
Personally I prefer to put
Code:
ALL : ALL
in hosts.deny and only add stuff to hosts.allow where reqd. You may have some unusual requirements that need a more complex hosts.deny, but it's rare.

Fracker 04-13-2011 06:06 AM
Quote:
Originally Posted by chrism01 (Post 4322905)
acid_kewpie's suggestion should work.
Can you post your hosts.allow & hosts.deny files and sshd_config?
Personally I prefer to put
Code:
ALL : ALL
in hosts.deny and only add stuff to hosts.allow where reqd. You may have some unusual requirements that need a more complex hosts.deny, but it's rare.
so what should i use instead of ssh:oracle@* ?

acid_kewpie 04-13-2011 06:09 AM
well that would be ALL : ALL as per the post, but that will mean no other users will be able to ssh in from anywhere, but the point then would be to go back to hosts.allow and put more specific allows in there.

Fracker 04-14-2011 01:40 AM
Quote:
Originally Posted by acid_kewpie (Post 4323180)
well that would be ALL : ALL as per the post, but that will mean no other users will be able to ssh in from anywhere, but the point then would be to go back to hosts.allow and put more specific allows in there.
so we are back on step 1. as others will also be blocked.. :)

Gershon K. 04-14-2011 01:57 AM
Why not use iptables?

venikathir 04-14-2011 02:03 AM
comparatively tcp wrapper is best for you qury

jschiwal 04-14-2011 04:02 AM
You can use the EXCEPT keyword. This is from the "man 5 hosts_access" man page:
Code:

      The explicitly authorized hosts are listed in the allow file.  For example:

      /etc/hosts.allow:
          ALL: LOCAL @some_netgroup
          ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
So you could use sshd: ALL EXCEPT oracle@ALL

--
sorry, I forgot you wanted oracle at one host permission.
Would
/etc/hosts.deny
sshd: oracle@ALL EXCEPT oracle@<allowed_host>

work for you?

Fracker 05-09-2011 02:45 AM
Nope that also not working, i guess i would have to use something else to tackle this ..

Thanks everyone

acid_kewpie 05-09-2011 03:00 AM
Quote:
Originally Posted by Fracker (Post 4350650)
Nope that also not working, i guess i would have to use something else to tackle this ..

Thanks everyone
No, you're doing it wrong if it's not working. or OpenSSH is compiled without tcpwrappers, which is pretty unlikely.

Fracker 05-09-2011 05:07 AM
Quote:
[root@backup01 ~]# strings $(which sshd)| grep libwrap
libwrap.so.0
libwrap refuse returns
[root@backup01 ~]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

sshd: user@ALL EXCEPT user@xx.x.xx.xxx
Just removed IP and Username here

djsmiley2k 05-09-2011 06:26 AM
erm or you could setup sshd properly. xD

/etc/ssh/sshd_config

Code:
# Example of overriding settings on a per-user basis
#Match User oracle
#      X11Forwarding no
#      AllowTcpForwarding no
#      ForceCommand cvs server
AllowUsers oracle@123.123.123.10


All times are GMT -5. The time now is 04:02 AM.