Solved

Allow userok@ip_good, Deny userok@any_other_ip and Allow *@*

Posted on 2010-08-25
5
387 Views
Last Modified: 2013-11-17
Is it possible? I'm running sshd on Aix6.1

Scenario:
ALLOW only access from: userok@ip_good
DENY access from userok@*
and
ALLOW acces from *@*

Thanks
0
Comment
Question by:sminfo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 250 total points
ID: 33521779
I've not used AIX, but do not think it is possible.
You can use the hosts.allow/hosts.deny if your SSH has tcp_wrappers to deny based on IP.

If sshd with tcp_wrappers handles the user@ip,
The other issue is that deny supersedes allows such that an entry in Allow userok@ip_good will be ignored because of the entry in DENY: sshd:userok@*  

I've not tested whether username@ is even an option which seems rather problemativ as it will be a nightmare to track down. i.e. user is active everywhere except the user can not connect.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 250 total points
ID: 33521801
Hello again,
I fear this will not be feasible.
All "DenyUsers user@host" directives in sshd_config are processed before the "Allow..." directives, and once a user's access is denied it will not be granted back to them depending on a particular host.
wmp
0
 

Author Comment

by:sminfo
ID: 33522281
Hi wmp and arnold,

The fact is I have a user 'userok' who uses to connect all my servers and run certain commands via sshd. I want to block access in my servers  from userok@* but let only access to sshd to userok@ip_good. :-)
Am I asking too much? I've searched a lot but can find a solution to make this possible.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 33522424
I think we understood your question and we answered it: No, it is not possible to achieve what you desire.
0
 
LVL 78

Expert Comment

by:arnold
ID: 33522523
You are trying to combine two separate functions into working in tandem.
I.e. TCP based access list (tcp_wrappers) allows access control to SSHD.
You can use the hosts.allow and hosts.deny to deny sshd:all and in the hosts.allow add the SSHD: IPrange, ips, etc. that you want to allow.

The SSH level restriction for user and group access will handle that side using AllowGroups, AllowUsers, DenyGroups, DenyUsers will process the deny first.

The problem is you seemingly want to limit access of a specific user to a specific IP.

An option you could have is to replace the shell configured for userok.
instead of /bin/bash, you could have an intermediary shell which is a script that will check whether the user is connecting from ip_good by checking the SSH_client env source. If it is, the script runs bash. If it is not, the script exits which will terminate the ssh session.

You would need to add this overlay/wrapper script on every system as well as modify the userok /etc/passwd entry if it is not centrally managed using NIS, NIS+, LDAP, etc.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question