allow login from specific address - SSH

This is a discussion on allow login from specific address - SSH ; hello i want to config a ssh gateway between internet and my intranet: the specifications are: - a user from internet can not login the ssh_gateway - some users (admins) from intranet can login the ssh_gateway how can i do ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: allow login from specific address

  1. allow login from specific address

    hello

    i want to config a ssh gateway between internet and my intranet:
    the specifications are:
    - a user from internet can not login the ssh_gateway
    - some users (admins) from intranet can login the ssh_gateway

    how can i do that ?
    can i allow sshd to accept login only from an ip address range ?

    is it more secure to only accept port forwarding on ssh_gateway ?

    thanks

    sylvain

  2. Re: allow login from specific address

    Sylvain Ferriol writes:

    > hello
    >
    > i want to config a ssh gateway between internet and my intranet:
    > the specifications are:
    > - a user from internet can not login the ssh_gateway
    > - some users (admins) from intranet can login the ssh_gateway
    >
    > how can i do that ?
    > can i allow sshd to accept login only from an ip address range ?
    >
    > is it more secure to only accept port forwarding on ssh_gateway ?


    TCP Wrappers rather than an sshd config is the place to do this.

    THe 30 second tutorial, assuming it's installed:

    edit /etc/hosts.deny
    Make this the one and only line:
    sshd: ALL

    Or, if you want to get more restrictive and don't host external
    services on the box make that:
    ALL:ALL

    which denies everything by default except things specifically
    allowed.

    Next, edit /etc/hosts.allow

    Add lines
    sshd: ip.address.to.allow.here
    sshd: ip.address2.to.allow.here
    sshd: ip.address3.to.allow.here
    sshd: ip.address4.to.allow.here
    sshd: intranet.mycompany.com

    Man hosts.allow for more details and different ways to specify ip
    ranges and subnets. If your intranet hosts reverse resolve to a
    consistent name e.g. host123.intranet.mycompany.com, then sshd:
    intranet.mycompany.com would be your hosts.allow entry.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  3. Re: allow login from specific address

    Todd H. a écrit :
    > Sylvain Ferriol writes:
    >
    >
    >>hello
    >>
    >>i want to config a ssh gateway between internet and my intranet:
    >>the specifications are:
    >>- a user from internet can not login the ssh_gateway
    >>- some users (admins) from intranet can login the ssh_gateway
    >>
    >>how can i do that ?
    >>can i allow sshd to accept login only from an ip address range ?
    >>
    >>is it more secure to only accept port forwarding on ssh_gateway ?

    >
    >
    > TCP Wrappers rather than an sshd config is the place to do this.
    >
    > THe 30 second tutorial, assuming it's installed:
    >
    > edit /etc/hosts.deny
    > Make this the one and only line:
    > sshd: ALL


    the problem is that i want to allow port forwarding from internet to
    intranet like this:
    ssh -N -L 4444:foo_server:4444 sshd_gateway
    >
    > Or, if you want to get more restrictive and don't host external
    > services on the box make that:
    > ALL:ALL
    >
    > which denies everything by default except things specifically
    > allowed.
    >
    > Next, edit /etc/hosts.allow
    >
    > Add lines
    > sshd: ip.address.to.allow.here
    > sshd: ip.address2.to.allow.here
    > sshd: ip.address3.to.allow.here
    > sshd: ip.address4.to.allow.here
    > sshd: intranet.mycompany.com
    >
    > Man hosts.allow for more details and different ways to specify ip
    > ranges and subnets. If your intranet hosts reverse resolve to a
    > consistent name e.g. host123.intranet.mycompany.com, then sshd:
    > intranet.mycompany.com would be your hosts.allow entry.
    >
    > Best Regards,
    > --
    > Todd H.
    > http://www.toddh.net/


  4. Re: allow login from specific address

    Sylvain Ferriol writes:

    > Todd H. a écrit :
    > > Sylvain Ferriol writes:
    > >
    > >>hello
    > >>
    > >>i want to config a ssh gateway between internet and my intranet:
    > >>the specifications are:
    > >>- a user from internet can not login the ssh_gateway
    > >>- some users (admins) from intranet can login the ssh_gateway
    > >>
    > >>how can i do that ?
    > >>can i allow sshd to accept login only from an ip address range ?
    > >>
    > >>is it more secure to only accept port forwarding on ssh_gateway ?

    > > TCP Wrappers rather than an sshd config is the place to do this. THe
    > > 30 second tutorial, assuming it's installed: edit /etc/hosts.deny
    > > Make this the one and only line: sshd: ALL

    >
    > the problem is that i want to allow port forwarding from internet to
    > intranet like this:
    > ssh -N -L 4444:foo_server:4444 sshd_gateway


    Are your requirements are opposed to each other?

    If you want to allow a forward connection from internet to intranet on
    the gateway to set up that port forwarding, you can't prohibit "a user
    from internet can not login the ssh_gateway."

    Or are you saying you want to allow this port forwarding, but no
    interactive login shells from internet users?

    --
    Todd H.
    http://www.toddh.net/

  5. Re: allow login from specific address

    Sylvain Ferriol writes:

    >hello


    >i want to config a ssh gateway between internet and my intranet:
    >the specifications are:
    >- a user from internet can not login the ssh_gateway
    >- some users (admins) from intranet can login the ssh_gateway


    >how can i do that ?
    >can i allow sshd to accept login only from an ip address range ?


    Use hosts.allow and only allow from the specific address range. ssh uses
    tcpwrapper.


    >is it more secure to only accept port forwarding on ssh_gateway ?


    >thanks


    >sylvain


  6. Re: allow login from specific address

    Todd H. a écrit :
    > Sylvain Ferriol writes:
    >
    >
    >>Todd H. a écrit :
    >>
    >>>Sylvain Ferriol writes:
    >>>
    >>>
    >>>>hello
    >>>>
    >>>>i want to config a ssh gateway between internet and my intranet:
    >>>>the specifications are:
    >>>>- a user from internet can not login the ssh_gateway
    >>>>- some users (admins) from intranet can login the ssh_gateway
    >>>>
    >>>>how can i do that ?
    >>>>can i allow sshd to accept login only from an ip address range ?
    >>>>
    >>>>is it more secure to only accept port forwarding on ssh_gateway ?
    >>>
    >>>TCP Wrappers rather than an sshd config is the place to do this. THe
    >>>30 second tutorial, assuming it's installed: edit /etc/hosts.deny
    >>>Make this the one and only line: sshd: ALL

    >>
    >>the problem is that i want to allow port forwarding from internet to
    >>intranet like this:
    >>ssh -N -L 4444:foo_server:4444 sshd_gateway

    >
    >
    > Are your requirements are opposed to each other?
    >
    > If you want to allow a forward connection from internet to intranet on
    > the gateway to set up that port forwarding, you can't prohibit "a user
    > from internet can not login the ssh_gateway."

    why ?
    >
    > Or are you saying you want to allow this port forwarding, but no
    > interactive login shells from internet users?
    >

    yes

  7. Re: allow login from specific address

    On 2006-09-21, Sylvain Ferriol wrote:
    > Todd H. a écrit :

    [...]
    >> If you want to allow a forward connection from internet to intranet on
    >> the gateway to set up that port forwarding, you can't prohibit "a user
    >> from internet can not login the ssh_gateway."

    > why ?
    >>
    >> Or are you saying you want to allow this port forwarding, but no
    >> interactive login shells from internet users?
    >>

    > yes


    There's a couple of new features in OpenSSH 4.4 (and newer) that could
    help here: "PermitOpen" which controls which portforwards are allowed and
    "Match" which can apply those restrictions to a subset of connections.

    So assuming your local net is 192.168.0.0/24 and you wanted to allow any
    commands or forwards from connections originating from it, this would
    be something like

    Match Address 192.168.0.*
    PermitOpen any

    Match Address *
    PermitOpen 1.2.3.4:44444

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread