[lug] Cracking attempts via SSH (somewhat OT)

Daniel Miller dan.miller at usu.edu
Wed Sep 8 20:53:54 MDT 2004


On Wed, 08 Sep 2004 19:42:16 -0600 (MDT)
Ben Luey <lueyb at jilau1.Colorado.EDU> wrote:

> On the subject of ssh logins and security, I'm trying to reduce the number
> of accounts that have remote ssh access to a server, and so I installed
> scponly.  Scponly gives users scp / sftp access but no shell access and
> chroots to their home directory. This is great, but I would like some
> users to have ssh login access from inside our firewall, but because
> scponly is installed as their shell, I don't know how to do this. Is it
> possible to somehow have a host specific shell? 

Well there is the obvious way which would be two give each person two users.  One would be used when inside the firewall and a different one would be used when outside.  They could both have the same default group and home directory.

Obviously that isn't a very clean solution, so I wonder if you would branch within the shell some how.  Like making someones default shell a script that looks like this:

#!/bin/bash

if [ $connectingip > "192.168.0.0" -a $connectingip < "192.16t8.0.0" ]
then
	exec /bin/bash
else
	exec /bin/scponly
fi

As you can see this needs some work as I'm not sure how you would actually get the connecting ip address.  

It may be possible to use some sort of Internet super daemon like inetd.  ipsvd looks like it would do what you are looking for.  I've never used it.  From the description:

ipsvd is a set of ``internet protocol service daemons'' for TCP/IP and UDP/IP.  An ipsv daemon waits for incoming connections on a socket; for
 new connections, it conditionally runs an arbitrary program to handle
 the connection.  The daemons can be told to read and follow pre-defined
 instructions on how to handle incoming connections; based on the client's IP address or hostname, they can run different programs, set a different environment, deny a  connection, or set a per host concurrency limit.  On Linux the network connection optionally can be encrypted using SSLv3.

Also, anyone have
> recommendations on having ssh restrict certain users to login from
> only certain domains?
> 

I think tcpwrappers can do this quite nicely.  Check out the man page for hosts.allow or hosts.deny.

> 
> Thanks,
> 
> Ben
> 

Dan



More information about the LUG mailing list