key based authentication except from certain hosts - SSH

This is a discussion on key based authentication except from certain hosts - SSH ; Hello, I have tried to find information on this but no luck yet. I hope someone in this group can give me some pointers or advice. We use public/private key authentication on all our linux and unix hosts. We don't ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: key based authentication except from certain hosts

  1. key based authentication except from certain hosts

    Hello,

    I have tried to find information on this but no luck yet. I hope
    someone in this group can give me some pointers or advice.

    We use public/private key authentication on all our linux and unix
    hosts. We don't allow password authentication, only key authentication.
    Now, we have a monitoring software that use SSH to collect metrics from
    linux and unix hosts, but I'm unable to use it since it lacks support
    for SSH key authentication. It can at the moment only work with a
    username and a password.

    The question - Is there some way in openssh to allow logins from
    certain hosts/IP addresses to authenticate with username and password
    rather than by a key?
    At the same time, key authentication should be enforced for all other
    logins.

    Thank you
    Wilma


  2. Re: key based authentication except from certain hosts

    wilma2002@spray.se wrote:

    > The question - Is there some way in openssh to allow logins from
    > certain hosts/IP addresses to authenticate with username and password
    > rather than by a key?


    I do not know of any way. You could run two sshds, one allowing only
    keypair authentication the other allowing only logins by certain users
    from certain hosts ("AllowUsers foo@127.0.0.1").

    Paul

  3. Re: key based authentication except from certain hosts

    Thanks Paul,
    that could be a solution actually, though I'm not sure how to setup 2
    sshd instances?

    Wilma


  4. Re: key based authentication except from certain hosts

    wilma2002@spray.se wrote:
    > Thanks Paul,
    > that could be a solution actually, though I'm not sure how to setup 2
    > sshd instances?


    Take a look at your init script in /etc/init.d/sshd, and make another copy
    of it that uses a special sshd.config file: then use that to start and stop
    your second daemon with another sshd instance on another port.

    Alternatively, you can tweak around with your sshd_config to try and allow
    password based authentication for specific hosts, but I'd be inclined to
    keep them separate.



  5. Re: key based authentication except from certain hosts

    Thanks Nico,

    I will give it a go!

    Regards
    Wilma


  6. Re: key based authentication except from certain hosts

    On 15 May 2006 04:38:58 -0700, wilma2002@spray.se wrote:
    > Hello,


    > I have tried to find information on this but no luck yet. I hope
    > someone in this group can give me some pointers or advice.


    > We use public/private key authentication on all our linux and unix
    > hosts. We don't allow password authentication, only key authentication.
    > Now, we have a monitoring software that use SSH to collect metrics from
    > linux and unix hosts, but I'm unable to use it since it lacks support
    > for SSH key authentication. It can at the moment only work with a
    > username and a password.


    > The question - Is there some way in openssh to allow logins from
    > certain hosts/IP addresses to authenticate with username and password
    > rather than by a key?
    > At the same time, key authentication should be enforced for all other
    > logins.


    > Thank you
    > Wilma


    Whenever you need two (or more) distinct setups in sshd, the simplest
    way is to run a second ssh daemon listening on its own port. I did
    this on a RH9 system.

    Without going into too much detail, here's how:

    1. Copy the normal ssh config files to a new "privatessh" config:
    cd /etc/ssh
    cp -p ssh_config privatessh_config
    cp -p sshd_config privatesshd_config
    Then modify the new config files as necessary, make sure it
    uses a different port (sshd_config).
    2. Copy the ssh init script:
    cd /etc/rc.d/init.d
    cp -p sshd privatesshd
    and modify as required. Anything which points to ssh* must
    point to privatessh*
    3. Copy the ssh daemon and the pam module:
    cd /usr/sbin
    cp -p sshd privatesshd
    cd /etc/pam.d
    cp -p sshd privatesshd
    Do not modify.

    At this point you have a new, private ssh daemon available. You can
    start it (again, remember this is RH9):
    chkconfig --add privatesshd
    chkconfig --level 2345 privatesshd on
    service privatesshd start
    This should create the necessary keys if the files created in steps
    1 and 2 were modified correctly.

    The most important item is correctly modifying the files created in
    steps 1 and 2 above.

    --
    Dale Dellutri (lose the Q's)

  7. Re: key based authentication except from certain hosts

    Dale Dellutri wrote:

    > 3. Copy the ssh daemon and the pam module:
    > cd /usr/sbin
    > cp -p sshd privatesshd
    > cd /etc/pam.d
    > cp -p sshd privatesshd
    > Do not modify.


    Why don't you just use the same binary for all sshd instances? Copying
    the sshd binary is useless and dangerous because the copies won't be
    updated automatically during an OpenSSH (security) update.

    Paul

  8. Re: key based authentication except from certain hosts

    Thanks all for your prompt replies.
    Your solutions and howtos are my best bet getting the monitoring to
    work.

    Most appreciated!
    Wilma


  9. Re: key based authentication except from certain hosts

    On 15 May 2006 14:42:31 GMT, Paul Hink wrote:
    > Dale Dellutri wrote:


    > > 3. Copy the ssh daemon and the pam module:
    > > cd /usr/sbin
    > > cp -p sshd privatesshd
    > > cd /etc/pam.d
    > > cp -p sshd privatesshd
    > > Do not modify.


    > Why don't you just use the same binary for all sshd instances? Copying
    > the sshd binary is useless and dangerous because the copies won't be
    > updated automatically during an OpenSSH (security) update.


    Unfortunately, my notes do not remind me why I had to copy the binary.
    I remember having a problem when I was experimenting, but now I can't
    remember what the problem was.

    Of course, you are correct that I've had to carefully re-copy any
    files that change during a security update.

    --
    Dale Dellutri (lose the Q's)

  10. Re: key based authentication except from certain hosts

    On 2006-05-15, Dale Dellutri wrote:
    > On 15 May 2006 14:42:31 GMT, Paul Hink wrote:
    >> Why don't you just use the same binary for all sshd instances? Copying
    >> the sshd binary is useless and dangerous because the copies won't be
    >> updated automatically during an OpenSSH (security) update.

    >
    > Unfortunately, my notes do not remind me why I had to copy the binary.
    > I remember having a problem when I was experimenting, but now I can't
    > remember what the problem was.
    >
    > Of course, you are correct that I've had to carefully re-copy any
    > files that change during a security update.


    If you're using PAM, the PAM service name is the basename of the binary,
    so if you want different PAM configs for the two sshds then you need
    different names. A symlink will work too (and won't need to be updated
    after sshd is upgraded).

    To the OP: if you're prepared to try a patch then you could try the one
    here: http://bugzilla.mindrot.org/show_bug.cgi?id=1180
    It adds conditionals to sshd_config, so you could have the following:

    PasswordAuthentication no
    Match Address 1.2.3.4
    PasswordAuthentication yes

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  11. Re: key based authentication except from certain hosts

    Darren,
    the functionality in the sshd patch you mention is just what I'm
    looking for.
    If you don't mind, how would I go about applying this one?
    Or, do you think it would make it to a final update...and if so in what
    timeframe?

    Thanks
    Wilma


  12. Re: key based authentication except from certain hosts

    On 2006-05-16, wilma2002@spray.se wrote:
    > Darren,
    > the functionality in the sshd patch you mention is just what I'm
    > looking for.
    > If you don't mind, how would I go about applying this one?


    Grab openssh-4.3p2 and unpack.
    Change to the openssh-4.3p2 directory.
    Apply the patch:
    lynx -source 'http://bugzilla.mindrot.org/attachment.cgi?id=1127&action=view'\
    | patch -p0
    configure to taste, build and install as normal.

    (It's a unified diff so you will need GNU patch to apply it.)

    > Or, do you think it would make it to a final update...and if so in what
    > timeframe?


    I hope to have it in OpenSSH 4.4 but it's not certain.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread