[clue-tech] sshd authorization strategies

Wed Sep 12 15:35:17 MDT 2007

Thanks for your reply.

Angelo Bertolli wrote:
> Dan Harris wrote:
>> I have an Internet-facing server that I need to access via ssh.  I 
>> also have a growing number of other logins that need to use scp to 
>> upload files to this server.  Naturally, I am trying to find the 
>> least-permissive solution that still accommodates my needs.
> 
> What are your needs?  You mentioned backup and users.

Those are my needs.  Not sure how to elaborate any more on that.. only some 
users however.

> 
>>   The sticky part of the problem is that I also have a "backup server" 
>> that connects via ssh ( as root, by RSA key authentication only ) to 
>> backup files over the network. The backup server is not Internet-facing.
> 
> Hmmmm, knee-jerk reaction:  look to see if there's a way to configure 
> read-only mode for this connection through ssh.

I don't get your "knee-jerk" comment.  It was well-reasoned and the best 
solution I've found so far.  Read-only login would be great to have, although I 
haven't found any setting that allows this other than setting permissions at the 
file and directory level.

Is there some setting you know of that allows a read-only ssh login?  Google 
hasn't guided me to any.

> 
>> What I have been doing so far is to use the AllowUsers directive in 
>> sshd_config to limit to the users that need to scp data as well as 
>> have root at backup-server in there so that root may not log in from any 
>> other machines.
>>
>> e.g.: AllowUsers root at backup-server  user1   user2   user3
> 
> I haven't used this before, but do all of your users get ssh?  Or do you 
> only provide the service as needed?  If everyone gets ssh, then you 
> might as well not bother worrying about this part.

Not everyone does.  Or, like you correctly stated, I wouldn't worry about this 
line at all.

> 
>> There are a couple of problems with this.  1) Every time a new user 
>> needs access to scp, they must be added to the sshd_config and the ssh 
>> server must be HUP'd.  Not a big deal, but could be nicer for 
>> maintenance purposes.. and 2) This directive is limited to 256 
>> strings.  I take this to mean that I will not be able to use more than 
>> 256 users in this setup.  I expect that I will hit this ceiling at 
>> some point so I need a way around it.
> 
> Do you give your users shell access?  If not, you might want to give 
> them a non-shell by default and then users with access to use scp can 
> have rssh, and users with full shell access can have bash.
> 

Some get shell, some don't.
> 
> If they all get shell access anyway, everyone can start out with rssh as 
> the default, and you can control access control through that.

I hadn't heard of rssh before, thanks.  I will change the shell as appropriate 
for those people that only copy files.

However, I'm not clear how this gets around my initial problem..  I don't want 
all accounts to have ssh access, only some, but I don't want to have to add each 
user to sshd_config and restart the service every time ( plus the 256 limit is 
looming ).

I also still have the root at backup-server I need to allow.  If I keep 
root at backup-server in there by itself, no other user will be able to login via 
ssh.  If I take it out, then root logins will not be limited to the 
backup-server host.

-Dan