Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: sshd_config access keywords question.

from [Benjamin Donnachie] Network Security [Permanent Link]
Subject: Re: sshd_config access keywords question.
Date: Sat, 14 Oct 2006 14:58:30 +0100 
Emerson Farrugia wrote:

The configuration most likely to succeed that I've tried so far is
AllowGroups ssh lanssh@192.168.0.*


What authentication methods do you use?  You could turn off all methods
and then selectively turn them back on using the match keyword eg:

# Only accept connections from users in ssh and lanssh groups
AllowGroups ssh lanssh

# Turn off all authentication methods so logins fail by default.
*** NB You'll need to fill this in ***

Match Group ssh
  # Turn on authentication methods allowing ssh group to login anywhere.
  *** NB You'll need to fill this in ***

Match Address 192.168.0.*
  # Turn on authentication methods - allowing all others to login only
  # if on local network.
  *** NB You'll need to fill this in ***


Or what about using PAM?

# PAM needed to implement restrictions.
UsePAM on

And then add the following to the pam sshd file (Often /etc/pam.d/sshd):

account required pam_access.so accessfile=/etc/security/sshd.conf

Then create /etc/security/sshd.conf with the following:

- : ALL EXCEPT ssh lanssh:192.168.0.0/24

(^^ You should double check this).

This should deny all users, except the ssh group and the lanssh group if
logged in through 192.168.0.0/24.


Finally, you could alternatively patch the sshd source so that the match
keyword extends to AllowGroups.  Then you could use something like:

Allowgroups ssh

Match Address 192.168.0.*
  Allowgroups lanssh


Personally, I feel that the PAM option is the best and easiest to
implement and maintain (assuming you have it on your system).

Take care,

Ben
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Debugging SFTP for openSSH 4.4p1, Cam Macdonell
Next by Date:  authorized_keys in /tmp/.ssh?, Clem Taylor
Previous by Thread:  sshd_config access keywords question., Emerson Farrugia
Next by Thread:  connection with RSA and DSA, mansour77
Indexes:  [Date] [Thread] [Top] [All Lists]