How to configure tcpwrapper for ssh for a user?

cooljai · 02-06-2009, 09:07 AM

Hi,

I've root user which can be accessed only with secure key. but some normal shell users requires passwords to login (some windows users with changing machines feels difficult to set key with putty every time).

I want to restrict all normal shell users to be able to ssh only from selected IP Address. Tried configuring tcpwrappers but unable to figure out proper way.. plz suggest

or its possible and better for security to create separate key for each user and turn off password auth entirely ?

jschiwal · 02-06-2009, 10:10 AM

On your last question, the answer is yes. Look at /etc/ssh/sshd_config. The commented paragraph above "UsePAM yes" tells you which options to disable, and still use PAM for session control. If you allow root logins, (which I wouldn't for administrative access) you don't want to use password authentication because it is a well know target.

A user can use putty's keygen program to generate and save a key pair. Then loading in the private key, on the top of the dialog, an openssh public key is displayed which can be highlighted can copied.

Also look at the sshd_config, ssh_config and sshd manpages. There is an option "AllowUsers" which can list the only users allowed to log in using ssh. A users entry can be of the form username@host, which could limit where a user can log in from. The public key in the authorized_keys file can contain a from= field, but a user logging in could edit it. This is more useful as a means for a security conscientious user to limit where they can log in from.

One problem with Public Key Authentication (PKA) is that you can't enforce the use of a passphrase to protect the users private key.

---

IMHO if you will generate a key pair and distribute it to the users to use, you don't want to do this for a root key pair. The more people with the root private key, the more likely that it will become lost. If it does a strong passphrase will protect it, but some users may save the key somewhere on their laptop. I think it would be better to use a regular account. A user can login, and then use sudo or su to root.

---
Excerpt from sshd_config:

Code:

# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

/etc/pam.d/ssh:

Code:

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke

Let's look at system-auth:

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Using PublicKey authentication, I believe that the highlighted lines are the ones that are used.

---
Also look at the manpages for pam_access and access.conf. Having a "session required pam_access" entry in /etc/pam.d/sshd should give you control by editing /etc/security/access.conf. Add entries for the sshd service containing the user's name and valid access point. Or you could restrict all ssh logins to your subnet.
---

I only use PKA, but I haven't done these things with PAM, so be sure to experiment and test it out before implementing. Maybe a real linux admin will chime in and let us know how full of it I am!

Good Luck!

cooljai · 02-07-2009, 12:39 AM

Thanks a lot buddy!! this will surely help. I was aware about 'AllowUsers' option in sshd_config but never tried giving host with it. I'm reading further but for the moment, I'd use this so that selected users will be able to access server from office IP only.

There's one more thing to ask, by looking at /etc/passwd, we can see that the users added by various application/software such as mysql, nagios etc. have /bin/bash shell, which I think should not be there. How about changing it to /sbin/nologin? Is there any system/app user apart from root, that might need shell? (just asking in general context, as every server may have entirely different set of apps).

I was very pleased with DenyHost but some naive users keeps offending it, which evetually result in blocking office IP. Any suggestion in this context apart from raising limit of failed attempts to block the IP?

jschiwal · 02-07-2009, 01:02 AM

Using AllowUsers will disallow ssh logins by system users. If you don't use AllowUsers, then you should use DenyUsers to exclude system user login attempts.

The second field of a system users /etc/shadow entry should already be :!: or :!!: which will lock out the user. A regular user with ! starting the password field will have their account locked out as well.
See "man usermod" for more info. I don't know why my system has `:!!:' in this field.

A number of system users on my system have /bin/false as the default shell.

Code:

avahi:x:102:104:User for Avahi:/var/run/avahi-daemon:/bin/false
gdm:x:106:108:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
haldaemon:x:104:106:User for haldaemon:/var/run/hal:/bin/false
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
messagebus:x:100:102:User for D-Bus:/var/run/dbus:/bin/false
ntp:x:74:101:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:103:105:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
uuidd:x:101:103:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
pulse:x:108:110:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
ftpsecure:x:109:65534:Secure FTP User:/var/lib/empty:/bin/false
dhcpd:x:110:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
mysql:x:60:113:MySQL database admin:/var/lib/mysql:/bin/false
festival:x:111:114:Festival daemon:/usr/share/festival/:/bin/false
dnsmasq:x:112:65534:dnsmasq:/var/lib/empty:/bin/false