Hi List, I have a problem to configure my OpenSSH: I want allow root-access (and all other users) to a webserver from my firewall with a static IP. For all other IP's I want to create an user who has access to this machine, and no one else (no root-access!). Could you please help me. Many thanks and regards Ruediger
I have a problem to configure my OpenSSH:
I want allow root-access (and all other users) to a webserver from my firewall with a static IP. For all other IP's I want to create an user who has access to this machine, and no one else (no root-access!).
man sshd is your friend: snip ------ AllowUsers This keyword can be followed by a list of user names, separated by spaces. If specified, login is allowed only for users names that match one of the patterns. `*' and `?' can be used as wild� cards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default login is allowed regard� less of the user name. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. ---- snip 4 /etc/ssh/sshd_config so you have to insert there AllowUsers *.IP.Fire.wall.X CertainUserName.* Yours Michael Appeldorn
Thanks for reply but this doesn't work. I have read the manual but the problem I think is the wildcard. Your example:
AllowUsers *.IP.Fire.wall.X CertainUserName.*
My way: AllowUsers *@IP.Fire.wall.X CertainUserName@* --> in both cases only the user 'CertainUserName' will have access from all hosts; NO other user has access The entry '*.IP.Fire.wall.X' doesn't work ! My entry with '@' doesn't work, too. I have tried to put the commands into two lines but it is the same problem. Perhaps you have another idea. I don't want to setup another sshd on another port. Thanks and regards Ruediger Michael Appeldorn wrote:
I have a problem to configure my OpenSSH:
I want allow root-access (and all other users) to a webserver from my firewall with a static IP. For all other IP's I want to create an user who has access to this machine, and no one else (no root-access!).
man sshd is your friend:
snip ------
AllowUsers This keyword can be followed by a list of user names, separated by spaces. If specified, login is allowed only for users names that match one of the patterns. `*' and `?' can be used as wild cards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default login is allowed regard less of the user name. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
---- snip
4 /etc/ssh/sshd_config
so you have to insert there
AllowUsers *.IP.Fire.wall.X CertainUserName.*
Yours
Michael Appeldorn
Your example:
AllowUsers *.IP.Fire.wall.X CertainUserName.*
My way: AllowUsers *@IP.Fire.wall.X CertainUserName@*
less of the user name. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
Yep - the wildcard was my fault. According to the manpage its @. To your problem. Check it out in two steps. One time the host, the other the users to determine if it works at all. Another idea to restrict the access is to edit /etc/hosts.allow and /etc/host.deny. Will check it for my own and reply the result. Michael Appeldorn
Hello, I played arround with the sshd and tried some settings and I think I solved the problem: Don't use IP's after the '@'! Take the FQDN (NOT the short name from /etc/hosts) and then it works! In my example I tried: AllowUsers *@my.domain.de .. and this works fine. Nevertheless many thanks for help. Regards Ruediger Michael Appeldorn wrote:
Your example:
AllowUsers *.IP.Fire.wall.X CertainUserName.*
My way: AllowUsers *@IP.Fire.wall.X CertainUserName@*
less of the user name. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
Yep - the wildcard was my fault. According to the manpage its @.
To your problem. Check it out in two steps. One time the host, the other the users to determine if it works at all.
Another idea to restrict the access is to edit /etc/hosts.allow and /etc/host.deny.
Will check it for my own and reply the result.
Michael Appeldorn
I played arround with the sshd and tried some settings and I think I solved the problem: Don't use IP's after the '@'! Take the FQDN (NOT the short name from /etc/hosts) and then it works!
In my example I tried:
AllowUsers *@my.domain.de
.. and this works fine.
ip work fine. try to resolve the adresse via ping my.domain.de and compare the ip with that you used :O) Michael Appeldorn
Thanks for reply but this doesn't work. I have read the manual but the problem I think is the wildcard.
Your example:
AllowUsers *.IP.Fire.wall.X CertainUserName.*
My way: AllowUsers *@IP.Fire.wall.X CertainUserName@*
--> in both cases only the user 'CertainUserName' will have access from all hosts; NO other user has access
The entry '*.IP.Fire.wall.X' doesn't work ! My entry with '@' doesn't work, too. I have tried to put the commands into two lines but it is the same problem.
OK - i checked it. And it works. I'd used a 2.9.x sshd with follwing line AllowUsers *@192.168.1.1 test@* And all users comes from 192.168.1.1 were ok. From all other hosts only test-user came in. Check out your spelling (correct ip 2) and version. See /var/log/messages and increase debug mode of sshd with -d option (man sshd) to learn more. If probs goes on mail me - else want to know what was the prob. Michael Appeldorn
Michael Appeldorn wrote:
Thanks for reply but this doesn't work. I have read the manual but the problem I think is the wildcard.
Your example:
AllowUsers *.IP.Fire.wall.X CertainUserName.*
My way: AllowUsers *@IP.Fire.wall.X CertainUserName@*
--> in both cases only the user 'CertainUserName' will have access from all hosts; NO other user has access
The entry '*.IP.Fire.wall.X' doesn't work ! My entry with '@' doesn't work, too. I have tried to put the commands into two lines but it is the same problem.
OK - i checked it. And it works. I'd used a 2.9.x sshd with follwing line
AllowUsers *@192.168.1.1 test@*
And all users comes from 192.168.1.1 were ok. From all other hosts only test-user came in.
Check out your spelling (correct ip 2) and version. See /var/log/messages and increase debug mode of sshd with -d option (man sshd) to learn more.
If probs goes on mail me - else want to know what was the prob.
Michael Appeldorn
Thanks for your tip to check the IP version! That's the problem. There are some hosts configured with IPv6 and that doesn't work. ... and I have no experience with IPv6 ... I changed the settings to: AllowUsers *@::ffff:my.ip.v4.host test@* Now it works fine. Thanks for help. Regards Ruediger
Thanks for your tip to check the IP version! That's the problem. There are some hosts configured with IPv6 and that doesn't work. ... and I have no experience with IPv6 ...
So disable it if you dont need - every feature you dont need is security risk you can prevent. edit /etc/modules.conf and uncomment alias net-pf-10 ipv6 with a leading # Michael Appeldorn
participants (2)
-
ic_admin
-
Michael Appeldorn