SFTP/SCP only per account
Hello,
I have a PCIDSS environment where I need to:
I don't have the ability to restrict by IP address at the firewall layer unfortunately. Any ideas here? |
See AllowUsers in sshd_config(5), and the accompanying PATTERNS section in ssh_config(5). Together, they allow you to whitelist account@subnet, account@other-subnet, etc.
All else is denied by default. An alternative to this would be using pam_access(8) to whitelist an entire group@subnet. (We need to know what OS / version you're using in order to help further.) |
Oh fail on my part. I didn't realize I could white a user@subnet pattern. Let me chew on that. It's RHEL6.
|
Quote:
Set it up something like: Code:
AllowUsers root@10.11.12.* admin1@15.16.17.19 admin2 10.11.* EDIT: Dangit, I was typing when the other two replies came in. :) |
I could go RTFM but just for fun conversation, just by doing DenyUser root@192.168.* without an explicit AllowUsers root@* will root still be able to login say from 172.16.5.20?
|
@td3201: I'd expect it to, but am not sure. That's one of those scenarios that is best to personally test and observe.
Again, if you find that sshd(8)'s allow/deny pattern directives are not quite meeting your needs, be sure to consider pam_access(8). It offers a little more flexibility, IMO. |
I ended up going with pam_access on this for now but I may have a gap here.
1. No changes to sshd_config other than PermitRootLogin = no 2. /etc/security/access.conf looks like this (DOMAIN\foo is a Active Directory group): +:DOMAIN\foo:10. -:DOMAIN\foo:ALL This works pretty well but anyone part of the domain outside of DOMAIN\foo can login. I need to be able to allow local users to login. Naturally, I can add them to a group and then put them in access.conf but I would prefer to just exclude any other domain logins such as this: -:*\*:ALL This doesn't work. Any other ideas? |
Actually, thinking about this further. I want to explicitly require that users be added to a specific group for SFTP access so I ended up with this (sftp is a local group):
+:DOMAIN\foo,sftp:10 -:ALL:ALL Resolved. :) |
All times are GMT -5. The time now is 02:21 AM. |