Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PAM and SSH

from [Ron Wheeler] Network Security [Permanent Link]
Subject: PAM and SSH
Date: Wed, 15 Mar 2006 21:58:19 -0500 
I would like to allow ssh access from 
1) anyone on the 192.168.1.0/24 network
or
2) anyone on a list of users.

If someone meets either of these criteria, they can log in.

The goal is to block everyone except a small list of trusted souls from 
accessing the linux system when they are out of the building. As long as you 
are in the building and have a username and password, you can log in.

If they meet these criteria, they still have to log in.

The default ssh file in pam.d uses auth required pam_listfile.so to block the 
root user.

It seems that I can reverse the sense from sense=deny to sense=allow and 
replace root with all  of the legal remote users in the file.

It also seems that I can allow people from 192.168.1.0/24 using pam_listfile 
with item=rhost.
I do not have an example of what the file looks like.
I would like it to look like this:
192.168.1..0/24

The only ?working? version looks like
host.domain.com 

I then want the user to be required to login with a valid Active Directory 
username. I already have that working with windbind.
pam_stack.so service=system-auth (I renamed the winbind service to system-auth 
to aviod having to change every pam file.)

I am a bit unclear about what ssh does with 

auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

There seems to be some duplication - everyone calls pam_stack.so exactly the 
same way.


I have something like this in the pam.d/ssh file
#block root
auth required pam_listfile item=user sense=deny file=/etc/ssh/denyusers
# basic requirement of a username and password
auth required pam_stack.so service=system-auth
auth required pam_nologin.so

# Ok so they have the keys; but are they in the right places
#allow the chosen people no matter from where
account sufficient pam_listfile item=user sense=allow file=/etc/ssh/allowusers
#allow the riff-raff as long as they are at work
account required pam_listfile item=rhost sense=allow file=/etc/ssh/allow192
account required pam_stack.so service=system-auth  ---- This looks redundant

password required pam_stack.so service=system-auth      --- ????

session required pam_stack.so service=system-auth       --- ????


Using the above pam.d/sshd file I can log in if I am on the list of God's 
chosen but the others can not get in unless I have listed the fully qualified 
host name in allow192.

Is there some way to have the IP address range used instead of the host name.

Ron
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Openssh v4.2-3 vs. HP-UX 11iv1 TCB, Bob Jones
Next by Date:  Tunnels Set Up, But Not Working - Open SSH_4.3 / SSH 1.5 / Linux 2.6.15, James Stickland
Previous by Thread:  Openssh v4.2-3 vs. HP-UX 11iv1 TCB, Bob Jones
Next by Thread:  Re: PAM and SSH, Darren Tucker
Indexes:  [Date] [Thread] [Top] [All Lists]