[clue-tech] sshd authorization strategies

[Dan Harris]

I have an Internet-facing server that I need to access via ssh.  I also have a 
growing number of other logins that need to use scp to upload files to this 
server.  Naturally, I am trying to find the least-permissive solution that still 
accommodates my needs.  The sticky part of the problem is that I also have a 
"backup server" that connects via ssh ( as root, by RSA key authentication only 
) to backup files over the network. The backup server is not Internet-facing.

What I have been doing so far is to use the AllowUsers directive in sshd_config 
to limit to the users that need to scp data as well as have root at backup-server 
in there so that root may not log in from any other machines.

e.g.: AllowUsers root at backup-server  user1   user2   user3

There are a couple of problems with this.  1) Every time a new user needs access 
to scp, they must be added to the sshd_config and the ssh server must be HUP'd. 
  Not a big deal, but could be nicer for maintenance purposes.. and 2) This 
directive is limited to 256 strings.  I take this to mean that I will not be 
able to use more than 256 users in this setup.  I expect that I will hit this 
ceiling at some point so I need a way around it.

The first option I explored was AllowGroups.  I thought I could just add all of 
these users to a group called sshusers and automagically have them able to 
connect.  But, there are a few problems I'm having with this:

1) AllowGroups overrides AllowUsers, so then I can't use my root at backup-server 
option anymore.  I don't want to allow root from all hosts.

2) Only the primary group is searched for AllowGroups checks.  This is a pain 
because my active logins have other primary groups.

Has anyone found a way to make AllowUsers trump AllowGroups?  Or is there a 
better way to approach this problem?

Thanks