|
Limiting user access to one server in domain
Hi everyone I've been trying to get an answer to this question. I need to limit external users access to one server in my domain. Anything I've read has been use the Allow/Deny users in sshd_config. I want them to be allowed to user server1, but not be able to ssh out to any other servers in the network. Any help would be greatly appreciated.
|
The best thing to do is deny them access at the other hosts. This would be part of a proper security posture for those machines.
I think you are going to have trouble trying to deny per user, outbound, SSH capability for a couple of reasons, not the least of which is nothing is stopping them from running a local copy of the utility from their home space (BTW, they are not dependent upon the system binary). You could block all outbound traffic to destination port 22, but this could have other side effects and is also not guaranteed. Pretty much anything you do on this one server, is not going to be a substitute for proper configuration of the other servers. |
Thanks Noway, That's what I thought might have to happen.
|
You can try
Code:
-A OUTPUT -p tcp -m tcp --dport 22 -j DROPHowever, I think we need more info, see the discussion here http://linux.livejournal.com/1855345.html?nojs=1 One of the things pointed out is that if the suers can copy sw onto the box, they can install their own copy of the ssh client and potentially ssh out to a different port than 22, unless that's not a problem in this case. EDIT: too slow, beaten by Noway |
| All times are GMT -5. The time now is 06:32 AM. |