[clue-tech] sshd authorization strategies

Dan Poler dpoler at redhat.com
Wed Sep 12 12:40:11 MDT 2007 

Could you possibly require your users that must connect to authenticate
by key only and not by password? In doing so you could completely
disable password auth. You could also investigate one-time passwords etc
-- which can be generated off of a Palm or similar device.

dap

On Wed, 2007-09-12 at 10:47 -0600, Dan Harris wrote:
> I have an Internet-facing server that I need to access via ssh.  I also have a 
> growing number of other logins that need to use scp to upload files to this 
> server.  Naturally, I am trying to find the least-permissive solution that still 
> accommodates my needs.  The sticky part of the problem is that I also have a 
> "backup server" that connects via ssh ( as root, by RSA key authentication only 
> ) to backup files over the network. The backup server is not Internet-facing.
> 
> What I have been doing so far is to use the AllowUsers directive in sshd_config 
> to limit to the users that need to scp data as well as have root at backup-server 
> in there so that root may not log in from any other machines.
> 
> e.g.: AllowUsers root at backup-server  user1   user2   user3
> 
> There are a couple of problems with this.  1) Every time a new user needs access 
> to scp, they must be added to the sshd_config and the ssh server must be HUP'd. 
>   Not a big deal, but could be nicer for maintenance purposes.. and 2) This 
> directive is limited to 256 strings.  I take this to mean that I will not be 
> able to use more than 256 users in this setup.  I expect that I will hit this 
> ceiling at some point so I need a way around it.
> 
> The first option I explored was AllowGroups.  I thought I could just add all of 
> these users to a group called sshusers and automagically have them able to 
> connect.  But, there are a few problems I'm having with this:
> 
> 1) AllowGroups overrides AllowUsers, so then I can't use my root at backup-server 
> option anymore.  I don't want to allow root from all hosts.
> 
> 2) Only the primary group is searched for AllowGroups checks.  This is a pain 
> because my active logins have other primary groups.
> 
> Has anyone found a way to make AllowUsers trump AllowGroups?  Or is there a 
> better way to approach this problem?
> 
> Thanks
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-tech
-- 
Dan Poler, RHCE
Senior Consultant
Red Hat, Inc.
E-Mail: dpoler at redhat.com
Phone: +1 (303) 502-4576
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20070912/0164e638/attachment-0002.bin

More information about the clue-tech mailing list