LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-23-2009, 01:54 AM   #1
hemanshurpatel
Member
 
Registered: Jul 2009
Location: India
Distribution: fedora 12
Posts: 36

Rep: Reputation: 15
Limit ssh session from a host with a particular Key file


Hello friends,

i am having a bit of problem.
I have got few servers to handle lying in USA, UK and canada.

as of now i use them with SSH(version 2) , they are all having fedora core 8 installed.

i want following things, please read all of them to get exactly what i want.

1) I dont want any one to be able to do ssh.
2) i want ssh via password only, no ssh-keygen.
3) ssh should be done from some specific host only which are allowed.
4) I mean even though some one has password of the server he should not be able to ssh to my server, it needs a specific key sort of thing, if that keyfile is present in client's pc then only he should be able to do ssh using the password.


Am i sound clear? if not please tell me.

All i want is to limit the users to do ssh to my servers though they have root password, only users who have combination of password and keyfile should be able to do ssh.

Hope i have sound clear enough to think.

waiting for your valuable comments and replies,
 
Old 07-23-2009, 06:57 AM   #2
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
well, I don't have all the answers to you, but even so, I hope some could help you.

3) to limit the origin you can use the files /etc/hosts.allow and /etc/hosts.deny. For instance, use a empty hosts.allow and on hosts.deny put something like:
Code:
sshd: ALL EXCEPT networks or list of valid IPs
for the others questions I don't know how to do that. I will follow this thread to learn from someone else in hope he/she could have the answer.

I use fail2ban which is a program that can block a IP that has too many failed login attempts. I use fail2ban to protect the sshd against force brute attacks. On the first attempt it can blocks the IP for hours, except if it is your IP, in this case it blocks you after the third attempt for 5 minutes - or whatever - I got the idea.

cheers,
 
Old 07-23-2009, 07:20 AM   #3
hemanshurpatel
Member
 
Registered: Jul 2009
Location: India
Distribution: fedora 12
Posts: 36

Original Poster
Rep: Reputation: 15
thanks,

But i dont want my servers to be limited to specific IPs.

say i have got root password and i have got a keyfile then i may connect my laptop to any network (Mns any IP), and i should be able to connect.

In short, rather then depending on just password i want two parameters one is password and other is file, then only anyone can connect to my servers.

still waiting for comments....
 
Old 07-23-2009, 02:43 PM   #4
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
Looking at "man sshd_config" I found the directives "AllowUsers" and "DenyUsers" which could be used (I guess) to limit who can log in through ssh (your request number 1).
Also, the directive "AuthorizedKeysFile" that contains the public keys that can be used for user authentication, which is your request number 4.

Take a look at "sshd_config(5)" and "ssh_config(5)", they are the best source for what you are looking for.

Please, share your findings here and, if successful, mark this thread as "solved".
 
Old 07-23-2009, 03:56 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
Quote:
Originally Posted by hemanshurpatel View Post
i am having a bit of problem.
Yes, and more than you bargained for.


Quote:
Originally Posted by hemanshurpatel View Post
users to do ssh to my servers though they have root password,
...implies users logging in as root account user. If that's the case then all your other safe-guards, access restrictions, security measures are for naught. Sure you may ignore that but something is called a best practice for a reason.


Quote:
Originally Posted by hemanshurpatel View Post
fedora core 8 installed.
...which is stale, unmaintained, unsupported. Sure you're free to ignore that remark too but adding access restrictions or security measures on top of a deprecated distribution version is an utter waste of time and will only give you a false sense of security.


Quote:
Originally Posted by hemanshurpatel View Post
i want ssh via password only, no ssh-keygen.
Even before we have a chance to address concepts like port knocking you should really try to understand OpenSSH better.
 
Old 07-24-2009, 12:28 AM   #6
hemanshurpatel
Member
 
Registered: Jul 2009
Location: India
Distribution: fedora 12
Posts: 36

Original Poster
Rep: Reputation: 15
Dear unSpawn

if you dont have answer, please dont laugh at.

Intentions with root password is that even if someone has root password he should not be able to login to my server without that key file.
i think i made clear this in my previous posting.
weather i am using fedora core 8 or 11, i think solutions wont change much.


thank for the other replies though, surely i will go through ssh_config and sshd_config man pages.
 
Old 07-24-2009, 12:58 AM   #7
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Don't discount what he said about root logins and stale versions. Not only is it silly to work on advanced security like 'I want public-key in case they get my password' when you're asking for problems by not updating your software and risking everything by working as root, but like it or not, you're part of a network, and you are a weak link by not taking care of your own security. Poor practice (and Windows) is why we have botnets.

A keyfile is exactly what public key authentication gives you. You can even password protect it. It's a very bad idea in case you lose the keyfile, but you could then disable password authentication and use public key with the passworded key, making it impossible to log in without both the public key and the password. That's what you want. It really is ill-advised, though.
 
Old 07-24-2009, 01:10 AM   #8
hemanshurpatel
Member
 
Registered: Jul 2009
Location: India
Distribution: fedora 12
Posts: 36

Original Poster
Rep: Reputation: 15
karamarisan,
i didnt get you

And about the previoust posting, i dont want to insult anyone, i am working on linux, and i know it is very bad idea to log in using root id, all i want to tell is that even if someone has got root password, he should not be able to login.
i never say that u need root password only to login, or i will allow only root user to login.
 
Old 07-24-2009, 01:24 AM   #9
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Like unSpawn said, you should take some time and read up on OpenSSH. In particular, look into public key authentication, as that is as close to what you want as you're going to get. ssh-keygen is the program you'll use to set that up.
 
Old 07-24-2009, 01:29 AM   #10
hemanshurpatel
Member
 
Registered: Jul 2009
Location: India
Distribution: fedora 12
Posts: 36

Original Poster
Rep: Reputation: 15
yeah sure
i will read it.

but r u sure, that after generating keys using ssk-keygen i can set it to both, i mean if someone ahs that file and not password or say someone has password and not that file then he/she should not be able to login?

can i do that?
 
Old 07-24-2009, 01:46 AM   #11
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
I am sure you can password-protect an OpenSSH private key. I am reasonably sure you can disable regular authentication - you'll have to read up on sshd_config as mentioned earlier to find out for sure and how.

However, this is a BAD idea. If the machine on which you have stored the private key is stolen, or its hard drive dies, or you're using it on a boat and drop it off the side, it will be impossible to log in (barring a brute-forcing of your key, and if that were practical, there'd be no point to a key in the first place). The idea is that by using public key, you just skip the password step; protecting the key itself is the responsibility of you and the machines it's on, and if their security isn't up to snuff, you've got bigger problems.
 
Old 07-24-2009, 02:03 AM   #12
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
You can (using ssh) password protect the key on the client, so losing the client doesn't matter if the thief doesn't know the password to the key.
 
Old 07-24-2009, 02:31 AM   #13
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I don't really understand the question you had about not allowing people who know the root password from logging in. If you simply mean that you don't want to allow ssh root logins, that is easy to set in /etc/ssh/sshd_config. If you mean that you don't want people who know the root password from logging in and using su to become root, you can prevent these users' group from logging in to ssh.

If you want to allow these people to log into their regular accounts, but not use su or sudo to become root, that is more complicated. Instead of letting administrators know the root password, you could change the root password, and make them members of the `wheel' group, so they can use sudo instead. With pam_group (see man group.conf & man pam_group), to determine when and from where they are members of the wheel group. Then they can use sudo at work from a local terminal but not remotely after work.

Company policy and auditing may be more useful than more complicated or obstructive methods. Giving users you don't trust the root password, doesn't sound like a good policy. Users who have root access during the day, can modify your configurations, circumventing any controls on ssh access you implement.

Last edited by jschiwal; 07-24-2009 at 02:41 AM.
 
Old 07-24-2009, 02:36 AM   #14
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Quote:
Originally Posted by chrism01 View Post
You can (using ssh) password protect the key on the client, so losing the client doesn't matter if the thief doesn't know the password to the key.
Exactly, it is the private key on the client that is passphrase protected. I like passphrases, because they can be a lot longer. Odd phrases are a lot easier to remember than random passwords.

However, a remote user in the field, lets assume with a laptop, could remove the passphrase (out of laziness) and later loose the laptop. I don't know how this policy could be enforced.

Last edited by jschiwal; 07-24-2009 at 02:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH concurrent session limit and idle session time out lasygsd Linux - Newbie 2 04-21-2009 10:11 PM
How to know/find out/see my ssh host key khaos83 Red Hat 4 12-26-2007 03:35 AM
SSH session viewable on host machine's monitor? ArcAiN6 Linux - Newbie 5 12-13-2005 08:56 PM
ssh Host Key ziox Linux - Networking 6 02-07-2005 02:57 PM
SSH rejects my host key for version 2 only. Travis86 Linux - Networking 19 08-08-2003 03:48 AM


All times are GMT -5. The time now is 09:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration