LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   SFTP/SCP only per account (https://www.linuxquestions.org/questions/linux-server-73/sftp-scp-only-per-account-918377/)

td3201 12-12-2011 02:14 PM
SFTP/SCP only per account
 
Hello,

I have a PCIDSS environment where I need to:
  1. restrict normal users to SFTP/SCP. This is easy done by setting the account to /sbin/nologin.
  2. prevent root/admin users from gaining shell access outside of certain IP block. In other words, these users have to VPN in to gain shell access.

I don't have the ability to restrict by IP address at the firewall layer unfortunately. Any ideas here?

anomie 12-12-2011 02:34 PM
See AllowUsers in sshd_config(5), and the accompanying PATTERNS section in ssh_config(5). Together, they allow you to whitelist account@subnet, account@other-subnet, etc.

All else is denied by default. An alternative to this would be using pam_access(8) to whitelist an entire group@subnet. (We need to know what OS / version you're using in order to help further.)

td3201 12-12-2011 02:36 PM
Oh fail on my part. I didn't realize I could white a user@subnet pattern. Let me chew on that. It's RHEL6.

TB0ne 12-12-2011 02:38 PM
Quote:
Originally Posted by td3201 (Post 4548145)
Hello,

I have a PCIDSS environment where I need to:
  1. restrict normal users to SFTP/SCP. This is easy done by setting the account to /sbin/nologin.
  2. prevent root/admin users from gaining shell access outside of certain IP block. In other words, these users have to VPN in to gain shell access.
I don't have the ability to restrict by IP address at the firewall layer unfortunately. Any ideas here?
If I'm understanding what you're saying correctly, you should be able to use the AllowUsers (or DenyUsers) parameters in sshd_config would be what you're after.

Set it up something like:
Code:
AllowUsers root@10.11.12.* admin1@15.16.17.19 admin2 10.11.*
DenyUsers root@192.* admin1@10.* admin2 15.*
...so root could only log in from the 10.11.12 network, and be denied if they're coming in on the 192.* network. Which, if they're VPN'ed in, I'm assuming their subnet will be identifiable, and able to be put in here. You can even allow/deny to ONE address itself.

EDIT: Dangit, I was typing when the other two replies came in. :)

td3201 12-12-2011 02:42 PM
I could go RTFM but just for fun conversation, just by doing DenyUser root@192.168.* without an explicit AllowUsers root@* will root still be able to login say from 172.16.5.20?

anomie 12-12-2011 05:04 PM
@td3201: I'd expect it to, but am not sure. That's one of those scenarios that is best to personally test and observe.

Again, if you find that sshd(8)'s allow/deny pattern directives are not quite meeting your needs, be sure to consider pam_access(8). It offers a little more flexibility, IMO.

td3201 01-04-2012 08:44 PM
I ended up going with pam_access on this for now but I may have a gap here.

1. No changes to sshd_config other than PermitRootLogin = no
2. /etc/security/access.conf looks like this (DOMAIN\foo is a Active Directory group):
+:DOMAIN\foo:10.
-:DOMAIN\foo:ALL

This works pretty well but anyone part of the domain outside of DOMAIN\foo can login. I need to be able to allow local users to login. Naturally, I can add them to a group and then put them in access.conf but I would prefer to just exclude any other domain logins such as this:
-:*\*:ALL

This doesn't work. Any other ideas?

td3201 01-04-2012 08:58 PM
Actually, thinking about this further. I want to explicitly require that users be added to a specific group for SFTP access so I ended up with this (sftp is a local group):

+:DOMAIN\foo,sftp:10
-:ALL:ALL


Resolved. :)


All times are GMT -5. The time now is 02:21 AM.