Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Different authentication for different locations

from [Vincent Starre] Network Security [Permanent Link]
Subject: Different authentication for different locations
Date: Sat, 18 Jun 2005 23:02:55 -0400
I've recently wanted to have more-secure authentication requirements for external connections than those originating from the local network. (ie: from 192.168.1.102, you can log in using just a password, but from 68.54.124.178(that's random numbers, don't bother), you can only get in using keys-based authentication.) Didnt see anything similar when I was searching for a way how online, so I figured I'd share in case anyone else wanted to do the same thing. (or wants to say "Don't do that! It will cause horrors from beyond time!" or wants to say "wtf? Just add this to your sshd_config, dimwit!)

In order to achieve this, I created an extra user account "someuser-remote" with the same UID as "someuser", the same home directory and shell, and no password (ie: account disabled).

# useradd -o -u 1000 -g 1000 -d /home/someuser/ -s /bin/bash someuser-remote
(a more general but still imperfect command: )
# useradd -o -u $(grep ^someuser:|cut -d: -f3) -g $(grep ^someuser:|cut -d: -f4) -d /home/someuser/ -s /bin/bash someuser-remote

then added to my sshd_config:
AllowUsers *@192.168.1.* someuser-remote@*
(and of course various options to allow keys-based authentication, but those are enabled by default on debian)

For multiple users, you'd probably want "... *-remote@*"

The really surprising thing for me: it actually seems to be working. Without error. Even my prompt is saying "[someuser@servo someuser]$ " instead of "[someuser-remote@servo someuser]$ ". That much was very unexpected.. and a cause of minor concern, but I was planning on forcing my PS1 for someuser-remote anyway, so it's really doing what I wanted it to.

Other than that, I've had to symlink /var/mail/someuser-remote to point to /var/mail/someuser. There are probably other minor things like this, but this is all I've noticed so far.

I really expect that different security for different origins is something which I am not alone in wanting, but I also expect somebody here thinks this is a bad idea.

I would call it "quantum entanglement of user accounts to allow spooky action over a distance", but that's just me.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Keeping OpenSSH connections alive, Robert Hajime Lanning
Next by Date:  Re: Different authentication for different locations, Greg Wooledge
Previous by Thread:  64bit-compiled sshd fails on IBM/AIX, G Lehnert
Next by Thread:  Re: Different authentication for different locations, Greg Wooledge
Indexes:  [Date] [Thread] [Top] [All Lists]