Ssh – allow ssh login for certain groups from certain IP addresses, deny from other addresses

pamssh

OS: CentOS 6.5 SSH v5.3

Goal:

root access is allowed with PubKeyAuthentication from several hosts.
users of "group1" are allowed to login with whatever they provide: PubKey, Password, GSSAPI, KerberosPassword; but they are only allowed to arrive from one certain IP: 192.168.1.10

Status: root access is already defined via multiple from="" -entries in ~/.ssh/authorized_keys, and works as expected.

Problem: users of group1 can arrive from 192.168.1.10 OR from elsewhere; or are locked out completely (with earlier tested configurations).

I tried several variations, but to no avail.

/etc/pam.d/sshd effectively looks like:

    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet

Currently I have in sshd_config :

    PermitRootLogin without-password
    PasswordAuthentication no
    KerberosAuthentication no
    GSSAPIAuthentication no
    UsePAM yes

    AllowGroups root group1

    Match Group group1@192.168.1.10
        KerberosAuthentication yes
        PasswordAuthentication yes
        GSSAPIAuthentication yes
        PubKeyAuthentication yes
    Match Group root
        PubKeyAuthentication yes

Any proposals?

Best Answer

I found a working solution. sshd debug mode ( /usr/sbin/sshd -ddd ) indicated the missing link:

    debug1: connection from 192.168.1.111 matched 'Address *'
    debug3: match found
    [...]
    Accepted **keyboard-interactive/pam** for xxx from \ 
           192.168.1.111 port 54282 ssh2

As you can see the login matched the correct block; but due to UsePAM yes PAM obviously overruled the "no"-entries in the Match Address * block; see manual:

    UsePAM  Enables the Pluggable Authentication Module interface. 
            If set to “yes” this will enable PAM authentication using
            [...] PasswordAuthentication

The final config looks like:

    PermitRootLogin without-password
    PasswordAuthentication no
    KerberosAuthentication no
    GSSAPIAuthentication no

    UsePAM yes

    AllowGroups root group1

    Match Address 192.168.1.10
      KerberosAuthentication yes
      PasswordAuthentication yes
      GSSAPIAuthentication yes
      PubKeyAuthentication yes
      KbdInteractiveAuthentication yes

    Match Group root
      PubKeyAuthentication yes

    Match Address *
      KerberosAuthentication no
      PasswordAuthentication no
      GSSAPIAuthentication no
      PubKeyAuthentication no
      KbdInteractiveAuthentication no

Only after having added KbdInteractiveAuthentication no the PAM password feature was disabled for this block, and users coming from anywhere are now successfully denied.

Related Solutions

SCP SSH – Allow SCP but Not Actual Login Using SSH

DEPRECATED: Please note the following answer is out of date. rssh is no longer maintained and is no longer a secure method.

rssh shell (http://pizzashack.org/rssh/) is designed for precisely this purpose.

Since RHEL/CentOS 5.2 doesn't include a package for rssh, you might look here to obtain an RPM: http://dag.wieers.com/rpm/packages/rssh/

To use it just set it as a shell for a new user like this:

useradd -m -d /home/scpuser1 -s /usr/bin/rssh scpuser1
passwd scpuser1

..or change the shell for an existing one like this:

chsh -s /usr/bin/rssh scpuser1

..and edit /etc/rssh.conf to configure rssh shell - especially uncomment allowscp line to enable SCP access for all rssh users.

(You may also want to use chroot to keep the users contained in their homes but that's another story.)

Disable SSH Password Login – How to Disable SSH Login with Password for Some Users

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

Best Answer

Related Solutions

SCP SSH – Allow SCP but Not Actual Login Using SSH

Disable SSH Password Login – How to Disable SSH Login with Password for Some Users

Related Topic