Hello,
does anybody know how to achieve the following with SSH...
a) accept RSA authentication for all but root from any IP b) accept RSA authentication for root from a couple IPs/Netmasks c) accept password authentication for all but root from a dozen Netmasks d) accept password authentication for root from 3 local netmasks only
ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...
Cheers, MaZe.
I think you can accomplish some of what you want using TCP Wrappers. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tcpwrappe...
I don't know how you could do a-d at once though.
Maciej Żenczykowski wrote:
Hello,
does anybody know how to achieve the following with SSH...
a) accept RSA authentication for all but root from any IP b) accept RSA authentication for root from a couple IPs/Netmasks c) accept password authentication for all but root from a dozen Netmasks d) accept password authentication for root from 3 local netmasks only
ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...
Cheers, MaZe.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2005-31-05 at 11:45 +0200, Maciej Żenczykowski wrote:
a) accept RSA authentication for all but root from any IP b) accept RSA authentication for root from a couple IPs/Netmasks c) accept password authentication for all but root from a dozen Netmasks d) accept password authentication for root from 3 local netmasks onlyie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...
That should all be possible by adding the appropriate parameters in the /etc/ssh/sshd_config file. Also read the sshd_config man page.
HTH,
Ranbir
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, May 31, 2005 at 11:45:44AM +0200, Maciej ?enczykowski wrote:
Hello,
does anybody know how to achieve the following with SSH...
a) accept RSA authentication for all but root from any IP b) accept RSA authentication for root from a couple IPs/Netmasks c) accept password authentication for all but root from a dozen Netmasks d) accept password authentication for root from 3 local netmasks only
ie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...
I don't think you can do all of that with just 1 instance of sshd. You can, however, have more than one instance running, and use iptables to redirect the connections based on the source IP address to the correct instance (each one with a different port and config file).
Since sshd's footprint is very small, that should have no nasty side effects.
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Tue, 2005-05-31 at 14:17 -0300, Rodrigo Barbosa wrote:
I don't think you can do all of that with just 1 instance of sshd. You can, however, have more than one instance running, and use iptables to redirect the connections based on the source IP address to the correct instance (each one with a different port and config file). Since sshd's footprint is very small, that should have no nasty side effects.
For any SSH that allows root access, I'd run it on a non-standard port anyway. Although it's probably ideal to keep that port under 1024 so no arbitrary user can present a login service for root.
On Tue, 2005-05-31 at 11:45 +0200, Maciej Żenczykowski wrote:
Hello,
does anybody know how to achieve the following with SSH...
a) accept RSA authentication for all but root from any IP b) accept RSA authentication for root from a couple IPs/Netmasks c) accept password authentication for all but root from a dozen Netmasks d) accept password authentication for root from 3 local netmasks onlyie. make authentication depend on the USER,METHOD,CLIENT-IP triplet...
SSH.com's ssh server (commercial/non-commercial versions) does all that.
ftp://ftp.ssh.com/pub/ssh/
-Bruno
-
Bruno S. Delbono -
Bryan J. Smith -
Kanwar Ranbir Sandhu -
Maciej Żenczykowski -
Rodrigo Barbosa -
Ryan