openssh 5.1 issue

[saifkhan123]

hey all,
my name is tauseef and i am working as a system support engineer for an IT-based company.

I have recently configured a secure ftp server using openssh 5.2, the problem which i am facing is that i have created 2 groups, "admin" group and a "sftpgroup", only 1 user has been added to the admin group and there are 30 users in the sftpgroup, only user in the admin group can only run ssh command(i.e he can login using ssh) and the members of sftpgroup can only run internal-sftp command, i have used "ForceCommand" keyword for that purpose

now the thing is I want to restrict the ssh login of admin user(i.e a user who is member of admin group) from a specific IP address and that user cannot login to ssh from any IPadress other than that, i have used the keyword AllowUser in the sshd_config file for this purpose but the thing is, AllowUser line only allows that user to login to the system which is added to its list and it blocks all the other users, it will be very difficult that every time i have to add a new user in sshd_config file when he wants to access the server by sftp command(i.e every time i have to tmaper the sshd_config file which is not a good practice)

i also tried Match conditional block for this purpose in the format "Match User <name>, Address <ip-address>" but this is also not working for me, as soon as it matches the User criteria, it executes the rest of the block, but i want it to match both the criteria(i.e User and his IP address) and then it execute the block, kindly help me in this regard it is really important for me,

Thanks and Regards

 

[SirDice]

Simplest solution is to add a From="<ipaddress>" to the user's .authorized_keys file.

 

[DutchDaemon]

saifkhan123, we have just received a huge new shipment of blank lines, so do feel free to press [enter] from time to time (and use punctuation and capitals here and there) to make your posts slightly more readable.

 

[saifkhan123]

my sshd_config file

Following is the part of the sshd_config file which i have modified

#The following commands will only allow specific IP to login to ssh.
#AllowUsers admin@172.16.100.221 user1 user2
#AllowGroups

# override default of no subsystems.
Subsystem       sftp    internal-sftp

Match Group sftpgroup
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

# To restrict admin to login from specific IP
#Match Address 172.16.100.221
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /etc/ssh

#Match Group admin
#    AllowTCPForwarding no
#    X11Forwarding no
#    ForceCommand internal-sftp

i want to restrict admin user to login to the server only from 172.16.100.221 IP but i dont want to use AllowUser line, kindly suggest any other solution.

 

[saifkhan123]

correction,
the line

#Match Address 172.16.100.221

in 4th paragraph is not commented, it is

Match Address 172.16.100.221

 

[DutchDaemon]

Consider running two instances of sshd, one on port 22 with the sftp group, and one on port xxx22 with the admin group.

You can start the first instance as usual (from /etc/rc.conf) and the second instance from e.g. /etc/rc.local (/usr/sbin/sshd -f /path/to/other/config) or even cron (@reboot).

That way you can lock down each of the config files and sshd daemons without interfering with the other.

 

[SirDice]

Let me try again...

Edit the admin user's ~/.ssh/authorized_keys file. In front of his key, on the same line add

From="<ipaddress>"

That will force the admin user to always having to login from that ipaddress.

from="pattern-list"
Specifies that in addition to public key authentication, either
the canonical name of the remote host or its IP address must be
present in the comma-separated list of patterns. See PATTERNS in
ssh_config(5) for more information on patterns.

In addition to the wildcard matching that may be applied to host-
names or addresses, a from stanza may match IP addressess using
CIDR address/masklen notation.

The purpose of this option is to optionally increase security:
public key authentication by itself does not trust the network or
name servers or anything (but the key); however, if somebody
somehow steals the key, the key permits an intruder to log in
from anywhere in the world. This additional option makes using a
stolen key more difficult (name servers and/or routers would have
to be compromised in addition to just the key).

From sshd(8).

 

[saifkhan123]

thanks!!!!

Idea for running 2 sshd instances worked for me Dutch,

i m using centos 5.2 and for running 2 sshd instances i have copied sshd_config, sshd init daemon and sshd.pid files with new names and created symbolic link from sshd executeable file to the new one, i have changed the port in 2nd sshd_config file, one thing which must be done is to add the following line to the new sshd init daemon file(which is a copy of original sshd init file)

OPTIONS="-f /etc/ssh/copy_of_sshd_config"

this line will automatically pull the custom config file when sshd is started as a service at boot time,

thanks alot man......