[Gllug] Limiting SSH access

Alain Williams addw at phcomp.co.uk
Thu Apr 3 10:32:06 UTC 2003 

> -----Original Message-----
> From: French, Alastair [mailto:Alastair.French at racalinstruments.com]
> Sent: 03 April 2003 11:02
> To: 'gllug at linux.co.uk'
> Subject: RE: [Gllug] Limiting SSH access 
> 
> 
> Thanks for all the replies
> 
> I have passed the details onto our sysadmins.
> 
> They only asked me as they know I run linux at home and they are all Windows
> people.
> 
> The machine in question will be running accounts s/w and need to be
> accessible by the external company that do our accounts (thats why they
> don't want in the DMZ). They supplied the box and set it up intially. I get
> the feeling that our guys would like to secure it a bit more and would like
> to have some ideas before going back to the accounts lots with some ideas.
> 
> Most of the NT boxes have the appropriate restrictions in place to stop
> unauth access to critical stuff, but I guess this is just an extra
> precaution.
> 
> Thanks for all the ideas

Something that I do on Internet visible boxen is add (with pam) a list of users that CAN
access the box. Here is a complete listing of /etc/pam.d/sshd:
	#%PAM-1.0
**	auth       required     /lib/security/pam_listfile.so sense=allow item=user file=/etc/ssh/sshAuthorisedUsers onerr=fail
	auth       required     /lib/security/pam_stack.so service=system-auth
	auth       required     /lib/security/pam_nologin.so
	account    required     /lib/security/pam_stack.so service=system-auth
	password   required     /lib/security/pam_stack.so service=system-auth
	session    required     /lib/security/pam_stack.so service=system-auth
	session    required     /lib/security/pam_limits.so
	session    optional     /lib/security/pam_console.so

The line flagged '**' is the one that I added.

The file /etc/ssh/sshAuthorisedUsers contains something like:
	addw
	bill
	ben
	weed

I also do something similar with FTP. IMHO the 'standard' ftp mechanism of a list of users who cannot
login is the wrong way round; it stems from the old internet days when, by & large, everyone was
friendly/responsible with just a few bad guys; today it has to be a case of 'guilty until proven
innocent' as far as security is concerned.

-- 
Alain Williams

#include <std_disclaimer.h>

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list