[clue-tech] sshd authorization strategies
Dan Harris
dan at drivefaster.net
Wed Sep 12 15:35:17 MDT 2007
Thanks for your reply.
Angelo Bertolli wrote:
> Dan Harris wrote:
>> I have an Internet-facing server that I need to access via ssh. I
>> also have a growing number of other logins that need to use scp to
>> upload files to this server. Naturally, I am trying to find the
>> least-permissive solution that still accommodates my needs.
>
> What are your needs? You mentioned backup and users.
Those are my needs. Not sure how to elaborate any more on that.. only some
users however.
>
>> The sticky part of the problem is that I also have a "backup server"
>> that connects via ssh ( as root, by RSA key authentication only ) to
>> backup files over the network. The backup server is not Internet-facing.
>
> Hmmmm, knee-jerk reaction: look to see if there's a way to configure
> read-only mode for this connection through ssh.
I don't get your "knee-jerk" comment. It was well-reasoned and the best
solution I've found so far. Read-only login would be great to have, although I
haven't found any setting that allows this other than setting permissions at the
file and directory level.
Is there some setting you know of that allows a read-only ssh login? Google
hasn't guided me to any.
>
>> What I have been doing so far is to use the AllowUsers directive in
>> sshd_config to limit to the users that need to scp data as well as
>> have root at backup-server in there so that root may not log in from any
>> other machines.
>>
>> e.g.: AllowUsers root at backup-server user1 user2 user3
>
> I haven't used this before, but do all of your users get ssh? Or do you
> only provide the service as needed? If everyone gets ssh, then you
> might as well not bother worrying about this part.
Not everyone does. Or, like you correctly stated, I wouldn't worry about this
line at all.
>
>> There are a couple of problems with this. 1) Every time a new user
>> needs access to scp, they must be added to the sshd_config and the ssh
>> server must be HUP'd. Not a big deal, but could be nicer for
>> maintenance purposes.. and 2) This directive is limited to 256
>> strings. I take this to mean that I will not be able to use more than
>> 256 users in this setup. I expect that I will hit this ceiling at
>> some point so I need a way around it.
>
> Do you give your users shell access? If not, you might want to give
> them a non-shell by default and then users with access to use scp can
> have rssh, and users with full shell access can have bash.
>
Some get shell, some don't.
>
> If they all get shell access anyway, everyone can start out with rssh as
> the default, and you can control access control through that.
I hadn't heard of rssh before, thanks. I will change the shell as appropriate
for those people that only copy files.
However, I'm not clear how this gets around my initial problem.. I don't want
all accounts to have ssh access, only some, but I don't want to have to add each
user to sshd_config and restart the service every time ( plus the 256 limit is
looming ).
I also still have the root at backup-server I need to allow. If I keep
root at backup-server in there by itself, no other user will be able to login via
ssh. If I take it out, then root logins will not be limited to the
backup-server host.
-Dan
More information about the clue-tech
mailing list