LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-06-2007, 09:27 AM   #1
toiday
LQ Newbie
 
Registered: Nov 2005
Posts: 1

Rep: Reputation: 0
How to allow root ssh from one host


I have a host with RHEL3U4, which come with OpenSSH_3.6.1p2. I would like to disable all root ssh except from one host. This is like an "admin" host where we run some ssh scripts to other hosts. Because of the application requirement, we can't upgrade the OS version nor upgrade/recompile OpenSSH. I've read up on TCP Wrapper but not sure that's included in the OpenSSH we have. Is that possible to do with that version of OpenSSH?

Thanks!
 
Old 07-06-2007, 10:56 AM   #2
0.o
Member
 
Registered: May 2004
Location: Raleigh, NC
Distribution: Debian, Solaris, HP-UX, AIX
Posts: 208

Rep: Reputation: 35
You could run another instance of sshd on a nonstandard port and only allow the IP of that host through the firewall for that port.
 
Old 07-06-2007, 11:15 AM   #3
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,508
Blog Entries: 2

Rep: Reputation: 68
I suppose you have a not tweaked installation, regarding to /etc/hosts.allow and /etc/hosts.deny.

In this case, you can edit the /etc/hosts.deny to add:
Code:
sshd: ALL EXCEPT 192.168.160.32, 192.168.160.251
The above line will accept ssh conections only from that two hosts.

Post edit: I am not sure your version of openssh has support for tcpwrappers. Anyway, the file /etc/hosts.deny is from the package netcfg in Fedora 7.
Sorry to not read carefully your post in the first time.

Last edited by marozsas; 07-06-2007 at 11:22 AM.
 
Old 07-06-2007, 11:41 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
You could also set up a key-based authentication to the account so that only the computer with the private key can access the account.
 
Old 07-06-2007, 12:46 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by toiday
I've read up on TCP Wrapper but not sure that's included in the OpenSSH we have.
You can use the ldd command to see if your SSH daemon binary is compiled with support for TCP Wrappers. For example, you can see that the SSH daemon on my Ubuntu box does have the support:
Code:
win32sux@candystore:~$ ldd /usr/sbin/sshd 
        linux-gate.so.1 =>  (0xffffe000)
        libwrap.so.0 => /lib/libwrap.so.0 (0xb7ef1000)
        libpam.so.0 => /lib/libpam.so.0 (0xb7ee9000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7ee5000)
        libselinux.so.1 => /lib/libselinux.so.1 (0xb7ecf000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7ebc000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d7a000)
        libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xb7d75000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7d61000)
        libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d4a000)
        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d1c000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7d00000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7c83000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7c5d000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7c5a000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7c56000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7b15000)
        /lib/ld-linux.so.2 (0xb7f06000)
        libsepol.so.1 => /lib/libsepol.so.1 (0xb7ad4000)
 
Old 07-06-2007, 01:05 PM   #6
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,508
Blog Entries: 2

Rep: Reputation: 68
Quote:
Originally Posted by win32sux
You can use the ldd command to see if your SSH daemon binary is compiled with support for TCP Wrappers
Cool ! I was wondering how to known if a binary has support for tcpwrapper. I learned another cool hint.
 
Old 07-06-2007, 01:11 PM   #7
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,508
Blog Entries: 2

Rep: Reputation: 68
Hey toiday ! My previous post was incorrect about the tcpwrapper package name.
It is not netcfg. In Fedora 7 it is tcp_wrappers-libs.
netcfg is the package name on openSuSE.

sorry the mistake.
 
Old 07-07-2007, 02:24 PM   #8
whistl
Member
 
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37

Rep: Reputation: 15
/etc/security/access.conf

You can also do this using PAM (pluggable authentication modules).

First, edit /etc/ssh/sshd_config and uncomment/add the following two lines:
Code:
PermitRootLogin yes
UsePAM yes

Next, edit /etc/security/access.conf and add something like:

Code:
# only allow root access from LOCAL and the following host
-: root : ALL EXCEPT LOCAL 192.168.1.100
Next, add the following line in front of the "account" section in /etc/pam.d/system-auth:

Code:
account requisite /lib/security/$ISA/pam_access.so
lastly, restart sshd by running "service sshd restart". You have to do this AFTER modifying /etc/pam.d/system-auth.

Make sure you keep a root session open while you test this, so you don't lock yourself out!

Good Luck!

Last edited by whistl; 07-07-2007 at 02:30 PM.
 
Old 07-07-2007, 03:47 PM   #9
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
If you don't want to fool with PAM you could also use the AllowUsers directive in sshd_config to do this:

e.g.:

AllowUsers root@adminhost bob frank joe

In this case root can only login from adminhost, but bob, frank, and joe can login from anywhere. The bad news is that any user who you want to be able to login via ssh has to be explicitly added to the AllowUsers string, so if you have a lot of users or are adding new users constantly the PAM procedure is probably the better way to go.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
x host with ssh rsca0070 Linux - Networking 1 09-08-2006 02:50 PM
SSH Host Error carlosinfl Linux - Networking 6 07-30-2006 10:03 AM
ssh + pop3 with kmail: Could not connect to host localhost, but ok without ssh Emmanuel_uk Linux - Networking 0 07-20-2006 04:56 PM
Root Host or trusted host???? astro209 Linux - Security 1 12-01-2005 02:56 PM
How to setup a host.deny and host.allow for SSH? explorer1979 Linux - Security 2 01-31-2005 05:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration