LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-10-2007, 12:58 AM   #1
grayswander
Member
 
Registered: Apr 2003
Location: Israel
Distribution: Gentoo
Posts: 61

Rep: Reputation: 15
SSH per-user configuration


Good time of day!

Is it possible to do one or more of the following, without SELinux or GRSecurity?

1) Configure sshd parameters per-user?
2) Make ~/.ssh and ~/.ssh/authorized_keys writable only by root?
3) Disable tty allocation for certain user?
4) Only allow certain users to ssh to restricted set of remote users?
5) Is it possible to specify "forced-command-only" to non-root logins?
6) I want to completely control ssh access by root (or security administrator)

I have pretty stupid situation:

I have couple of applicative user accounts.
I have lot of developers' accounts.

I want to allow developers to ssh between their hosts as themselves.
I want to allow application users to execute remote commands as other applicative users.

I have to allow developers to "sudo -s" to applicative users.
I want to deny developers to ssh as applicative user with interactive shells.
I want to deny applicative users to run interactive commands.

In other words, I want to prevent something like this:

Quote:
dev@host1$ ssh appl@host2
Permission denied

dev@host1$ ssh host2

dev@host2$ sudo -s -l appl
appl@host2$ cat <dev's pub key> >> .ssh/authorized_keys
appl@host2$ ssh appl@host3
appl@host3$ ...
Thank you in advance!
 
Old 06-10-2007, 02:11 AM   #2
stzein
Member
 
Registered: Mar 2004
Location: Antwerp, Belgium
Distribution: Gentoo
Posts: 65

Rep: Reputation: 15
Quote:
dev@host2$ sudo -s -l appl
appl@host2$ cat <dev's pub key> >> .ssh/authorized_keys
Can't this be prevented by disallowing your users to use sudo?
In some distro's you need to be in the wheel group to do su (I don't know about sudo, I'm not sure if having sudo on your server is a good idea in this case), so kicking a users out of that group would prevent it. I don't think this works in all distributions though, here's a thread that 1 minute of googling turned up.
 
Old 06-10-2007, 02:39 AM   #3
grayswander
Member
 
Registered: Apr 2003
Location: Israel
Distribution: Gentoo
Posts: 61

Original Poster
Rep: Reputation: 15
You've missed the whole point:-)

I need to allow those users to sudosh (sudo -s) as applicative users.
I just want to prevent them to ssh directly as applicative users.
 
Old 06-10-2007, 05:30 AM   #4
stzein
Member
 
Registered: Mar 2004
Location: Antwerp, Belgium
Distribution: Gentoo
Posts: 65

Rep: Reputation: 15
I'm still not really sure what you want to accomplish, but I think something close to what you want can be accomplished by carefully editing several config files:
  • in /etc/sshd.conf (or /etc/ssh/sshd_config or something else depending on your distro) you can set who is allowed to log on, and some other setting like "ForceCommand" (you were looking for that?)
  • in /etc/sudoers you can set who is allowed to do what with sudo
  • to set rights for .ssh files --> chmod -R 750 /home/{username}/.ssh <-- or something like that

I don't know if this helps you, but I urge you to carefully read the man pages of ssh(d), sudo and any related tools that you may use.
 
Old 06-10-2007, 06:37 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Adding to what Stzein already wrote (soz for any dups)

Configure sshd parameters per-user?
OpenSSH-4.4p1 gives you the conditional "Match" directive with which you can configure and restrict settings (like ForceCommand) on a per-user basis.


Make ~/.ssh and ~/.ssh/authorized_keys writable only by root?
You can chmod it but then nobody will be able to change per-site config settings or add to ~/.ssh/known_hosts. If you need to deny writing to a single file, say ~/.ssh/authorized_keys, then I'd suggest populating it and then running chattr on it. Mind you, with each customisation time spent on maintenance and troubleshooting increases.


Disable tty allocation for certain user?
That's a ~/.ssh/{config,authorized_keys} setting, AFAIK not configurable from sshd_config.


Only allow certain users to ssh to restricted set of remote users?
If you mean that user X on host A is only allowed to ssh to host B as user Y, then I don't think you can restrict that *on* host A, the only things you can do are adding a ~/.ssh/config entry specifying the site name and login name (that's voluntary: overriding is easy) or using an iptables outbound match like --uid-owner. Effectively I think you only got measures on host B as in sshd_config (user, group, command), PAM listfile (user names) and in (chattr'ed) authorized_keys (say "only_from=IP").


Is it possible to specify "forced-command-only" to non-root logins?
See Match?


I want to completely control ssh access by root (or security administrator)
I don't know if I got your question right but there's no controlling ssh access by root.
Root shouldn't be allowed a remote SSH login. Period.
 
Old 06-10-2007, 06:52 AM   #6
grayswander
Member
 
Registered: Apr 2003
Location: Israel
Distribution: Gentoo
Posts: 61

Original Poster
Rep: Reputation: 15
Thank you, unSpawm.
I'll check the Match

I just wanted to prevent developers to access applicative accounts from remote hosts directly.
I wanted them first to ssh to server, and then switch user to applicative account, preserving real user id.

Match would possibly help me.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH configuration zulfahmi Linux - Server 6 03-22-2007 11:28 AM
SSH Configuration wildcat22 Linux - Networking 1 09-27-2005 09:47 AM
SSH Configuration xedios Linux - Software 2 10-25-2004 04:02 PM
SSH configuration help dt23 Mandriva 16 04-07-2004 04:29 PM
SSH configuration...someone please help leroy27336 Linux - Networking 28 11-16-2003 02:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration