From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 19:10:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D307B16A4CE for ; Thu, 7 Oct 2004 19:10:34 +0000 (GMT) Received: from omoikane.mb.skyweb.ca (64-42-246-34.mb.skyweb.ca [64.42.246.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6248843D5D for ; Thu, 7 Oct 2004 19:10:32 +0000 (GMT) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id 8705962B51; Thu, 7 Oct 2004 14:10:32 -0500 (CDT) From: Mark Johnston To: Mark Skurzynski , freebsd-security@freebsd.org Date: Thu, 7 Oct 2004 14:10:31 -0500 User-Agent: KMail/1.6.1 References: <080b01c4ac9e$90584250$0a13a8c0@lomag.net> <20041007185425.GB25539@yem.eng.utah.edu> In-Reply-To: <20041007185425.GB25539@yem.eng.utah.edu> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200410071410.31964.mjohnston@skyweb.ca> Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 19:10:34 -0000 Mark Ogden wrote: > Mark Skurzynski on Thu, Oct 07, 2004 at 02:50:49PM -0400 wrote: > > I normally don't reply here however the simple solution is to run a 2nd > > instance of sshd on any random port you choose, ie. "sshd -f > > /etc/ssh/sshd_config_private" or whatever you choose. You could then > > easily firewall that port and only allow specific IP's to connnect. > > Yes, that was our second idea. But we feel theres got to be a better > way. Seems appropriate that a third Mark should chip in here: there is. You can use ~/.ssh/authorized_keys to add restrictions, one of which is "from": from="pattern-list" Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma- separated list of patterns (`*' and `'? serve as wildcards). The list may also contain patterns negated by prefixing them with `'!; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); how- ever, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). Apply that to the only key you allow to log in for root, and then set PermitRootLogin to "without-password", heeding the warning in sshd_config(5) about ChallengeResponseAuthentication. I would still encourage you to look at Per Engelbrecht's sudo suggestion; you will very likely want the logging that it provides. However, you should be able to do exactly what you want with this. Mark