[clue-tech] sshd authorization strategies

[Angelo Bertolli]

Dan Harris wrote:
> I have an Internet-facing server that I need to access via ssh.  I 
> also have a growing number of other logins that need to use scp to 
> upload files to this server.  Naturally, I am trying to find the 
> least-permissive solution that still accommodates my needs.

What are your needs?  You mentioned backup and users.

>   The sticky part of the problem is that I also have a "backup server" 
> that connects via ssh ( as root, by RSA key authentication only ) to 
> backup files over the network. The backup server is not Internet-facing.

Hmmmm, knee-jerk reaction:  look to see if there's a way to configure 
read-only mode for this connection through ssh.

> What I have been doing so far is to use the AllowUsers directive in 
> sshd_config to limit to the users that need to scp data as well as 
> have root at backup-server in there so that root may not log in from any 
> other machines.
>
> e.g.: AllowUsers root at backup-server  user1   user2   user3

I haven't used this before, but do all of your users get ssh?  Or do you 
only provide the service as needed?  If everyone gets ssh, then you 
might as well not bother worrying about this part.

> There are a couple of problems with this.  1) Every time a new user 
> needs access to scp, they must be added to the sshd_config and the ssh 
> server must be HUP'd.  Not a big deal, but could be nicer for 
> maintenance purposes.. and 2) This directive is limited to 256 
> strings.  I take this to mean that I will not be able to use more than 
> 256 users in this setup.  I expect that I will hit this ceiling at 
> some point so I need a way around it.

Do you give your users shell access?  If not, you might want to give 
them a non-shell by default and then users with access to use scp can 
have rssh, and users with full shell access can have bash.


If they all get shell access anyway, everyone can start out with rssh as 
the default, and you can control access control through that.


Angelo