Making -some- of the account to accept either SSH and/or logins from all or specified IP range.

Making -some- of the account to accept either SSH and/or logins from all or specified IP range.

Post by Markku Sukane » Sun, 06 Jul 2003 04:22:31



Ok, I've known the answer to this in the past, but it has faded from my
head.  How to modify some (not all) of the accounts under unix/linux
(RedHat7.2) to accept only SSH/SSH2 logins, and how to make some others
to accept only Telnet, and then, how to make some accounts to take
logins from only some specific IP range?

---
Dai

 
 
 

Making -some- of the account to accept either SSH and/or logins from all or specified IP range.

Post by David Efflan » Sun, 06 Jul 2003 11:19:30



> Ok, I've known the answer to this in the past, but it has faded from my
> head.  How to modify some (not all) of the accounts under unix/linux
> (RedHat7.2) to accept only SSH/SSH2 logins, and how to make some others
> to accept only Telnet, and then, how to make some accounts to take
> logins from only some specific IP range?

I haven't really learned about xinetd yet, but /etc/hosts.allow and
hosts.deny can control access to daemons that pay attention to it (man 5
hosts_access).  The problem for me seems to be ipv6.  I used to be able to
control ssh using hostnames, then only IPs or IP ranges worked, now that
does not work in SuSE 8.2 and I resorted to ALL: UNKNOWN in hosts.deny
(and keys only for ssh, no passwords allowed).

Since I only let in ssh, smtp and http, telnet is a non-issue and I don't
even have inetd or xinetd running.  Even from Windows I can ssh in with
Putty.

--
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 

Making -some- of the account to accept either SSH and/or logins from all or specified IP range.

Post by Richard E Silverma » Sun, 06 Jul 2003 12:41:11


    MS> Ok, I've known the answer to this in the past, but it has faded
    MS> from my head.  How to modify some (not all) of the accounts under
    MS> unix/linux (RedHat7.2) to accept only SSH/SSH2 logins, and how to
    MS> make some others to accept only Telnet, and then, how to make some
    MS> accounts to take logins from only some specific IP range?

This question is essentially backwards, because accounts are not active
entities that "accept" anything.  Any process running as root has the
right to create a process running under any other uid and thus "log" that
uid in.  There's no notion of there being a fixed allowed set of entryways
into the system which you can then list conveniently somewhere as being
the ones allowed for a given account.

So, to achive this end, you have to rely on cooperating secondary effects.
For example, you could configure an OpenSSH server to only allow
public-key authentication, and only certain accounts (AllowUsers), then
use per-account presence/absence of ~/.ssh/authorized_keys and the
from=... key option to control whether and from where you can get in.  If
you can then set your Telnet server to *not* allow these accounts to log
in, but allow your other set, then you get the overall effect you want.
You might be able to accomplish that with a combination of PAM and/or
libwrap controls.

--
  Richard Silverman

 
 
 

Making -some- of the account to accept either SSH and/or logins from all or specified IP range.

Post by Sascha Schwar » Thu, 10 Jul 2003 16:44:47




Quote:> Ok, I've known the answer to this in the past, but it has faded from my
> head.  How to modify some (not all) of the accounts under unix/linux
> (RedHat7.2) to accept only SSH/SSH2 logins, and how to make some others
> to accept only Telnet, and then, how to make some accounts to take
> logins from only some specific IP range?

> ---
> Dai

If you want that some users only can log in from a few Ip addresses, why
dont you use
SSH keys with the key option 'from="1.2.3.4"' you can also use some
wildcards to
cover networks or more that one of that statements.

best regards

sascha

 
 
 

1. Specifying DNS based on IP range

I'm connected to the Internet via a cable modem and have my resolv.conf
configured to use my provider's name servers.  Occasionally I use ppp to
dial into work.  When I'm connected to work I need to use the DNS from
work to resolve addresses in the mycompany.com domain.  I have the
following /etc/resolv.conf:

search nblvl1.in.home.com home.com
nameserver 24.4.162.33
nameserver 24.4.162.34
nameserver 144.250.1.10

The 24.x nameservers are my provider's.  The 144.x nameserver is the
DNS at work that I want to use to resolve addresses in the mycompany.com
domain.  I thought that when doing name lookups, if the first two nameservers
couldn't resolve the address it would fall back on the last.  Apparently
it doesn't work this way because the only way I can resolve names when
connected to work is to put "nameserver 144.250.1.10" first in resolv.conf.
Otherwise it tries to resolve using my provider's DNS and fails.  When I put
"nameserver 144.250.1.10" as the first line I can't resolve names other than
in mycompany.com (that nameserver is behind a firewall and can't resolve
addresses on the Internet at large).  When I'm connected to work via ppp and
the Internet via cable modem I'd like to be able to resolve names within
mycompany.com via my work DNS and all others via my provider's DNS.

Is there a way to specify that I want mycompany.com resolved by
144.250.1.10 and all others resolved using my provider's DNS?

--

2. Help with 3C90X Ethernet card

3. Specifying IP range for NAT

4. Is this a form of hack?

5. new root account , with ssh login

6. iostat, mpstat and sar.

7. Specifying a port range for NAT

8. System ID for OpenServer 5

9. How to Specify ipchain address range

10. specifying range in awk

11. How to delete lines in specified range

12. cannot local login ssh server using router ip.

13. Check whether chars other than those in specified range are in a string