basic shell access problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'd like to ask for your advice on basic shell access problem.

This is actually much more a policy problem then a technical ssh
question but I think it is pretty much very relevant for this group.

We want to allow selective shell access to our "gateway" server for
remote hosts. We already have contemporary "blacklisting" solution to
kick out usual account cracking trials.

We also employ "AllowUsers" sshd_config solution to permit specific
user/IP combinations. In practice it is becoming really annoying for
both maintainers and users though. It is very tempting for some people
to put a "user@*" entry in there ...

How do you people manage this ?

I know there are many possibilities. Allowing public keys based logins
only is not am option because we have to many undereducated users
(using unsafe computers). VPN-like solution is also an overkill for
us. I am leaning towards some solution placed in the router/firewall
rather then on a specific server.
Any comment highly appreciated.

Michal Kurowski

Re: basic shell access problem

Quoted text here. Click to load it

Commonly used options like RSA secureID need software installed
on the client, they allow to force disabling any local LAN on the
client, which is a good idea to keep any crap out of your
network. But this is a VPN solution and usually needs root access
to the client to install the software.

Presuming people are using dynamic IP and don't change their ISP
every day, you could allow login from the ip range this ISP uses,
never tested if network/netmask can be used with AllowUsers,
should be trivial to tests out.

Allowing key login only is a good idea, perhaps you can educate
users with some documentation including screen shots for their
clients how to use it. If you can't overcome one of your
restrictions, it doesn't sound that easy.

Good luck

Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 18: excess surge protection

Site Timeline