How to allow root ssh from one host

toiday · 07-06-2007, 09:27 AM

I have a host with RHEL3U4, which come with OpenSSH_3.6.1p2. I would like to disable all root ssh except from one host. This is like an "admin" host where we run some ssh scripts to other hosts. Because of the application requirement, we can't upgrade the OS version nor upgrade/recompile OpenSSH. I've read up on TCP Wrapper but not sure that's included in the OpenSSH we have. Is that possible to do with that version of OpenSSH?

Thanks!

0.o · 07-06-2007, 10:56 AM

You could run another instance of sshd on a nonstandard port and only allow the IP of that host through the firewall for that port.

marozsas · 07-06-2007, 11:15 AM

I suppose you have a not tweaked installation, regarding to /etc/hosts.allow and /etc/hosts.deny.

In this case, you can edit the /etc/hosts.deny to add:

Code:

sshd: ALL EXCEPT 192.168.160.32, 192.168.160.251

The above line will accept ssh conections only from that two hosts.

Post edit: I am not sure your version of openssh has support for tcpwrappers. Anyway, the file /etc/hosts.deny is from the package netcfg in Fedora 7.
Sorry to not read carefully your post in the first time.

Hangdog42 · 07-06-2007, 11:41 AM

You could also set up a key-based authentication to the account so that only the computer with the private key can access the account.

win32sux · 07-06-2007, 12:46 PM

Quote:

Originally Posted by toiday

I've read up on TCP Wrapper but not sure that's included in the OpenSSH we have.

You can use the ldd command to see if your SSH daemon binary is compiled with support for TCP Wrappers. For example, you can see that the SSH daemon on my Ubuntu box does have the support:

Code:

win32sux@candystore:~$ ldd /usr/sbin/sshd 
        linux-gate.so.1 =>  (0xffffe000)
        libwrap.so.0 => /lib/libwrap.so.0 (0xb7ef1000)
        libpam.so.0 => /lib/libpam.so.0 (0xb7ee9000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7ee5000)
        libselinux.so.1 => /lib/libselinux.so.1 (0xb7ecf000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7ebc000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d7a000)
        libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xb7d75000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7d61000)
        libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d4a000)
        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d1c000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7d00000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7c83000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7c5d000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7c5a000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7c56000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7b15000)
        /lib/ld-linux.so.2 (0xb7f06000)
        libsepol.so.1 => /lib/libsepol.so.1 (0xb7ad4000)

marozsas · 07-06-2007, 01:05 PM

Quote:

Originally Posted by win32sux

You can use the ldd command to see if your SSH daemon binary is compiled with support for TCP Wrappers

Cool ! I was wondering how to known if a binary has support for tcpwrapper. I learned another cool hint.

marozsas · 07-06-2007, 01:11 PM

Hey toiday ! My previous post was incorrect about the tcpwrapper package name.
It is not netcfg. In Fedora 7 it is tcp_wrappers-libs.
netcfg is the package name on openSuSE.

sorry the mistake.

whistl · 07-07-2007, 02:24 PM

You can also do this using PAM (pluggable authentication modules).

First, edit /etc/ssh/sshd_config and uncomment/add the following two lines:

Code:

PermitRootLogin yes
UsePAM yes

Next, edit /etc/security/access.conf and add something like:

Code:

# only allow root access from LOCAL and the following host
-: root : ALL EXCEPT LOCAL 192.168.1.100

Next, add the following line in front of the "account" section in /etc/pam.d/system-auth:

Code:

account requisite /lib/security/$ISA/pam_access.so

lastly, restart sshd by running "service sshd restart". You have to do this AFTER modifying /etc/pam.d/system-auth.

Make sure you keep a root session open while you test this, so you don't lock yourself out!

Good Luck!

btmiller · 07-07-2007, 03:47 PM

If you don't want to fool with PAM you could also use the AllowUsers directive in sshd_config to do this:

e.g.:

AllowUsers root@adminhost bob frank joe

In this case root can only login from adminhost, but bob, frank, and joe can login from anywhere. The bad news is that any user who you want to be able to login via ssh has to be explicitly added to the AllowUsers string, so if you have a lot of users or are adding new users constantly the PAM procedure is probably the better way to go.