Please forgive my ignorance on certain topics including IPTABLES and such....

I have a client who runs a Red Hat server which runs their billing application. Once a day a user (accountant) needs to perform maintenance on this software by connecting to the box via SSH.

The other users around the company also use SSH to connect to this box. I want to

1. Allow the user to connect via SSH
2. Allow the user to kill SSH connections to the other IP addresses - this user will be connecting internally from either 192.168.0.61 or 192.168.0.109 so I want to retain these IP's so he doesn't cut himself off
3. Allow the user to perform the maintenance on the billing application
4. Allow the user to open the connections back up when finished so the clients can connect

Note: This user isn't the most savy user out there, but can trigger bash scripts if needed.

Any ideas on this scenario would be completely appreciated. Please reply to the thread if you have any questions.

I have heard that this can be accomplished via IP tables but I run into issue as the user would have to perform these actions. I am also not the best with IPTABLES but can learn quickly.

Thanks.

May be overkill for this application. Check out the allow_users/deny_users directives for the sshd_config file. You can have rules set up to allow/deny based on IP address(es)/ranges, and just un-comment those rules when needed. Bounce the ssh service, and the rules are in place.

You can also use hosts.deny, with the sshd protocol, to block ranges from coming in, but that would need root access to edit a file.

If you don't have the most savvy user, you can write a bash script to have a different sshd_config file, with the appropriate rules in place. Running the script as SUDO will let the files be moved/copied, and the service be bounced.

I'm thinking out loud here, but there would be a way to accomplish this without using iptables.

Create an sshd_config file with AllowUsers <accountant's user name>, call it whatever ssh_config_A

Have the accountant ssh to the machine and run a script which would kill the existing sshd instance, and restart sshd with the ssh_config_A configuration file. Stopping sshd would boot everyone who's connected, including him, so he would have to reconnect. When he's done, he can run another script which would restart the normal sshd.

something along the lines of:

When he's done:

I haven't tried this myself to ensure it works (I'm about to....)

Edit: I see another poster has offered up some similar ideas...

hth,

Okay, neither of those scripts ^^^^^^^ will work (I had *suspected* such), for the simple reason that once sshd is killed outright, the user who invoked the script is disconnected, and the script stops running. The problem with simply issuing a restart command to rc.sshd is that it won't boot existing users, even if the config file has changed.

I considered starting a second sshd process with the altered sshd_config, but issuing the command 'sudo /etc/rc.d/sshd stop' kills both processes.

The second script wouldn't even be necessary, as issuing the command 'sudo /etc/rc.d/rc.sshd restart' would do the trick.

At least you've managed to get my rusty gears churning - I'll stay on it....

On a Redhat server, stopping the sshd process will NOT terminate existing sshd connections.

You will have to kill the other existing sshd PIDs individually.

Here's something i tested to do this:
Give the user sudo access to this script. Run as follows:

scriptname stop (logoff all other users)
scriptname start (start sshd)

Seems strange to me - if 200 users are connected to your server, as admin, you couldn't simply stop the ssh daemon, you'd have to kill 200 pids. But there must be reasons, so it is what it is.

Anyway, on slackware, telling the daemon to stop boots everyone.

As to the op's original query, picking up on my original reply, your accountant can ssh in, boot everyone, do his maintenance, exit and restore original accessibility thusly:

Go ahead and create a script that stops the daemon and restarts it with a new config that allows only him to reconnect.

When he's done, the daemon can then be restarted with it's normal config.

So, the script that changes config resides on the remote machine, and it can be similar to the script in my first post. Let's call it 'ssh_new':

Now, on your accountant's machine, create a script which will ssh to the remote, stop the daemon, start the daemon with the new config, allow the accountant to do his thing, then restart the daemon when he logs off.

I've tested it, and it works on Slackware 12.1

Obviously, the user can invoke the 'sudo /etc/rc.d/rc.sshd restart' whilst still connected, but by putting it in the script it saves him this step, and resets the config in case he forgets.

cheers,

Yeah, most Unix platforms i've worked on are the same way. To kill all sshd processes (including your own) in Red Hat, run 'pkill sshd'.

Thank you for the info. I often get caught *assuming* that the main differences in distros are cosmetic, rather than functional.

cheers,