Discussion:
sshd_config access keywords question.
Emerson Farrugia
2006-10-09 18:55:19 UTC
Permalink
Hi,

I'm running OpenSSH 4.4 on OpenBSD 3.9-stable and I'm trying to configure ssh access to my machine. I'd like to implement a relatively simple access policy, in my opinion, using the AllowUsers, AllowGroups, DenyUsers, and DenyGroups keywords, but I haven't managed.


The policy I'm trying to implement is that access should be allowed for users in the group ssh, for users in the group lanssh if they are connecting from my network, and for nobody else. Is this even possible?


The configuration most likely to succeed that I've tried so far is

AllowGroups ssh ***@192.168.0.*

but the latter identifier is just ignored.


I would even settle for writing the individual usernames that are allowed lanssh access in sshd_config, but I've been unable to do that too. For instance, for a privileged user lanuser in group lanssh, the following

DenyUsers lanuser@!192.168.0.*
AllowGroups ssh lanssh

doesn't prevent lanuser from logging in from other hosts.


Any help would be greatly appreciated.

Thanks,
Emerson
Benjamin Donnachie
2006-10-14 13:58:30 UTC
Permalink
Post by Emerson Farrugia
The configuration most likely to succeed that I've tried so far is
What authentication methods do you use? You could turn off all methods
and then selectively turn them back on using the match keyword eg:

# Only accept connections from users in ssh and lanssh groups
AllowGroups ssh lanssh

# Turn off all authentication methods so logins fail by default.
*** NB You'll need to fill this in ***

Match Group ssh
# Turn on authentication methods allowing ssh group to login anywhere.
*** NB You'll need to fill this in ***

Match Address 192.168.0.*
# Turn on authentication methods - allowing all others to login only
# if on local network.
*** NB You'll need to fill this in ***


Or what about using PAM?

# PAM needed to implement restrictions.
UsePAM on

And then add the following to the pam sshd file (Often /etc/pam.d/sshd):

account required pam_access.so accessfile=/etc/security/sshd.conf

Then create /etc/security/sshd.conf with the following:

- : ALL EXCEPT ssh lanssh:192.168.0.0/24

(^^ You should double check this).

This should deny all users, except the ssh group and the lanssh group if
logged in through 192.168.0.0/24.


Finally, you could alternatively patch the sshd source so that the match
keyword extends to AllowGroups. Then you could use something like:

Allowgroups ssh

Match Address 192.168.0.*
Allowgroups lanssh


Personally, I feel that the PAM option is the best and easiest to
implement and maintain (assuming you have it on your system).

Take care,

Ben

Loading...