User based ip filtering?
 

Hello All,
I wonder is it possible to perform a user based ip filtering in a proxy server. For example,
P->Proxy server
A->Server in Network 1
B1->Server in Network 2
B2->Server in Network 2
....
B1000->Server in Network 2

A->P->B1

I want to allow ssh connections only to the user "bala@B1" from "linux@A" and not for "kris@B1" from "linux@A". So this is basically binding user based access with ip filtering.
Can this be done using a proxy? Instead of using any setting on server B like PAM or ssh deny.
I knew that in iptable I can write a rule to allow or deny based on ip address. I want to know is there any way to provide this from a gateway server.
Please let me know if you need further information on this
Thanks.

I think it is not possible (and it mustn't be possible in this way). SSH is called secure because it is encrypted. All that proxy can know is that it relays data from one box to another using TCP ports this-and-that. User name in ssh session is just a piece of data that is transmitted after establishing secure (encrypted) connection. Proxy that gets it out of stream means proxy that breaks encryption. And ssh protocol version 2 is still considered to be secure.

oh :(...But I dont want to establish a SSH connection if I find that user name is not the one I wanted to allow. If you could give me some links which talks about his requirement then it would be gr8. I am ready to modify either SSH source code or iptables/proxy to acheive this. Please let me know I need to achieve this by some way.
Thanks.

What of the boxes A,B and P are under your control? Do you need to still enable all features of SSH? Do you really need to distinguish target users (on B) or is it enough just to forbid SSH to some users on A? You can disable NAT on proxy, so that the only way to get from A to B is through really proxying. Password-protect your proxy and store password on A in the place that is accessible only by root. Then write a script that will add an option with correct password (taken from secret file) to its own option list and run ssh if it finds user@host string acceptable or if it is run by "good" user. Allow "good" users to use sudo on this script.

Sorry. I didnt understand it well. :(
For the example, I have taken it as SSH. It may be any service like ftp,telnet and so on. I have the control on all the three machines in a test environment. The software that I looking for is to provide user based access on B servers. I want to take the complete control in P itself. I will intern configure A server to use P as a prosy server for SSH or for anything that it needs to connect to B servers. Actually I need to have control based on users at both the ends ie. in A and B. This can be acheived through PAM settings on B servers. But instead of controlling through individual servers...I need a centralized way thats why we thought of implementing a software on proxy to take care of this control.
THanks.

As long as P has already let A and B establish ssh connection it can not see any of its content. User name will come into play later.

Maybe you can do it if P is a password-protected proxy, and to get a password you need to submit command you want to run. Surely, if users can submit command theirselves, they can cheat and run a bit different command later, so you need to have a sudo script that will submit a command to checking service on P and will run exactly this command with correct proxy password if checker agrees. Also you need to include some password just when submitting, but you can store it in a file readable only by root.

I need not to worry about the command that he is running....because i have modified bash such that it will allow only limited commands. So i will give my restricted shell to the user who logs in....the thing is i need to have time based and ip based access. Even i can handle this from modified shell. But if it is possible to restrict from proxy level then that would solve our prblm easily.....
Anyway, thanx for ur help.
I am sure I will get this done in few days...Im looking for some softwares and will modify them to achieve my requirement.
If you find some method to do this plz let me know.
Some try with LDAP on proxy machine is also being done to achieve this. :)
Lets see whether LDAP suits or not....
THanks :)

Proxy cannot extract information about source and target users (on A and on B) from an SSH data connection. But both of them are known to ssh program. So the only reasonable way to keep decision-making on proxy server is to make ssh program on A (itself or with help of a script) consult with a special decision-making permission server on P.

Edit: I think that there is no widespread program for this as I think that it is some (notable though not deadly yet) hit for the very idea of ssh.

In the example whatever I showed you.....server A may be more than 100 servers and B is more than 500 servers... Imagine writing a scripts on these client side will lead into unwanted head ache later... So im looking for some centralized control approach to handle this problem. If there is nothing found out, the we have planned to use PAM on all 500 B servers to control it effectively.
Thanks...:)

Well, I understood that you were ready to modify even ssh. Surely if you have that many boxes you need to have some centralized deployment. What is sure that there is no way to filter by user names on A unless ssh (or its wrapper) give it away (in a non-standard way - it doesn't by default); and the only two hosts that can filter by B user names are A and B (they may ask P in the process).

http://www.nufw.org/
Please look at the above link. Im currently looking into this tool. It seems to help me a bit. If you have some ideas plz let me know.

Looks good.. It is probably a good solution to disclose user names on host A to filtering software. And if you also store PAM configurations for B on P, you will have all the settings centralized. You will probably need to add nuaclgen entries to cron for time-based policy changes.

Yes it is....For time based policy changes....planned to provide an user interface on P..so that only admins can login and change the policy.....just started to look into that tool....i think this is a gr8 tool to help me....