[clue-tech] sshd authorization strategies
Dan Harris
dan at drivefaster.net
Wed Sep 12 10:47:13 MDT 2007
I have an Internet-facing server that I need to access via ssh. I also have a
growing number of other logins that need to use scp to upload files to this
server. Naturally, I am trying to find the least-permissive solution that still
accommodates my needs. The sticky part of the problem is that I also have a
"backup server" that connects via ssh ( as root, by RSA key authentication only
) to backup files over the network. The backup server is not Internet-facing.
What I have been doing so far is to use the AllowUsers directive in sshd_config
to limit to the users that need to scp data as well as have root at backup-server
in there so that root may not log in from any other machines.
e.g.: AllowUsers root at backup-server user1 user2 user3
There are a couple of problems with this. 1) Every time a new user needs access
to scp, they must be added to the sshd_config and the ssh server must be HUP'd.
Not a big deal, but could be nicer for maintenance purposes.. and 2) This
directive is limited to 256 strings. I take this to mean that I will not be
able to use more than 256 users in this setup. I expect that I will hit this
ceiling at some point so I need a way around it.
The first option I explored was AllowGroups. I thought I could just add all of
these users to a group called sshusers and automagically have them able to
connect. But, there are a few problems I'm having with this:
1) AllowGroups overrides AllowUsers, so then I can't use my root at backup-server
option anymore. I don't want to allow root from all hosts.
2) Only the primary group is searched for AllowGroups checks. This is a pain
because my active logins have other primary groups.
Has anyone found a way to make AllowUsers trump AllowGroups? Or is there a
better way to approach this problem?
Thanks
More information about the clue-tech
mailing list