ssh, deny/allow root logins 2

[shadedecho]

I've got ssh running on a set of closely related servers. Up until now, I've had root login in ssh disabled, as is the common concept in securing a server. And please don't try to argue why this IS the more secure path, because I already agree with you.

However, I've run across a situation where I need to allow root ssh logins, ONLY from one of those related servers that I manage, though. Unfortunately, the way this situation is, it's not an option to login with a user and then su-, as I would prefer, it would have to be root being logged in via ssh.

Is there a way to allow root login ONLY from a specified set of hosts for ssh?

 

[plamb]

what about using tcpwrappers to restrict by ip

 

[ericbrunson]

tcpwrappers or iptables couldn't take into account the user logging in, it would have to deny ssh access everywhere.

You write a wrapper for the shell that checks the IP address of the login and doesn't spawn the shell if it's from the wrong place. Then install that as the shell for root in /etc/passwd.

You may be able to get around the need for root with sudo and the NOPASSWD option for the duties that need to be performed.

 

[shadedecho]

anywhere I might go besides just a random google search to find out how to write a wrapper around the bash shell to do what you are referring to?

Would it be as simple as putting some small program in the .bashrc login sequence for root, which could somehow return a fail code or something like that if the IP address didn't match, to cause the launch of the root shell to fail?

 

[flugh]

I found this article:

http://www.hackinglinuxexposed.com/articles/20030109.html

Looks like you can do this by adding options (specifically "from=<hostname>") to your keys. Should be able to make what you want to happen using this method.

*sigh* Well, maybe not. This only works if you can force root to have to use keypairs (I don't know if/how to do that). My Fedora Core 3 box has an /etc/security/access.conf file that lets you specify users and the hosts they are allowed to login from. Maybe a combination of the two methods will get you where you want.

----
JBR

 

[ericbrunson]

The addition to the bashrc would be effective, but not completely secure. It's a timing condition, but you could actually break out of it. Along the same lines, though, you can install a progran that ssh runs automatically when it logs in by putting it in root's ~/.ssh/rc file.

Read the man page for ssh_config.

 

[plamb]

you could further use pam to restrict root

 

[BitFuzzy]

you could setup you iptables to block (drop) all ssh requests except for those originating from the desired IP.

From there modify your ssh config to allow root logins.

*I STRONGLY ADVISE AGAINST THIS*

You're best bet is to block as described above then have the user needing root access escalate his priv's by by using 'su'
which will give him/her root priv's w/o risking security by allowing root to login directly

 

[shadedecho]

BitFuzzy-

The problem with the IP tables approach is that I still have to be able to allow non-root SSH logins from everywhere else, I only want to deny ROOT login from everywhere outside my trusted IP network.

also, from my original post:

Up until now, I've had root login in ssh disabled, as is the common concept in securing a server. And please don't try to argue why this IS the more secure path, because I already agree with you...

...Unfortunately, the way this situation is, it's not an option to login with a user and then su-, as I would prefer...

plamb-

I have PAM installed... I don't know how to use that to restrict root to only certain IP's, though, can you elaborate? Is the /etc/security/access.conf that I refer to below part of PAM?

flugh-

I haven't used Fedora before, only RH from the days of ol'... These boxes are currently debian 3.x installs. Anyway, I do have /etc/security/access.conf present on my system.

From my reading of it, it appears you can specify an allow (+) permission for a specific host/user, and then a deny (-) permission for "ALL", and it should only match that username and host, and "all" others would be denied access. This sounded exactly like what I wanted.

I added the following 2 lines in that file and rebooted.

+:root :xxx.xxx.xxx.xxx.
-:root :ALL

with xxx.xxx.xxx.xxx being the IP address of the box I want to grant root login to.

Root is able to login in, as well as other users, so at least I didn't lock myself out (which I was afraid of). However, root is also able to login from other IP addresses than the one I specified.

Is there some way to verify that:

1. I've formatted the rules in the file correctly, and
2. SSH is actually using this mechanism to decide on authentication rules.

Any ideas?

 

[shadedecho]

OK, I figured this out, wanted to let everyone know for posterity sake (and btw, thanks to flugh's post -- turned me on to the right solution eventually):

1. make sure you have PAM installed.

2. make sure "UsePAM yes" is in your /etc/ssh/sshd_config file.

3. make sure "PermitRootLogin yes" is in your /etc/ssh/sshd_config file.

4. make sure "account required pam_access.so" is in your /etc/pam.d/ssh file.

5. make sure something like "-:root:ALL EXCEPT xxx.xxx.xxx.xxx" is in your /etc/security/access.conf file.

This will allow root logins via SSH ONLY from the IP address you specify there, say an IP of a trusted machine. You could also replace "xxx.xxx..." with "LOCAL" and it would allow root logins ONLY from the localhost. This seems a little counter-intuitive, like "what's the point?", but you may have processes or programs which want to ssh to a box to do something, as I describe in just a moment, and in this way you can restrict root to be able to login via SSH ONLY from the same machine.

I use this for instance, in combination with public/private keys (so that root can login WITHOUT a password from a certain host) so that my backup program (which happens to be dirvish,

http://www.dirvish.org)

running on my other trusted server can ssh into the box without a root password and back everything up. But it keeps the root login ONLY allowed from that trusted machine, so i don't have to worry about the other security implications.

 

[ericbrunson]

Very cool of you to post back to the forum. Thanks.

 

[marsd]

Just for everyones benefit as well.
You CAN do secondary or primary access
control via iptables.

The privileged host can be configured with a set of
logging and egress rules in the ouput chain of iptables
using the match rule and owner option.

  owner
       This module attempts to match various  characteristics  of
       the  packet creator, for locally-generated packets.  It is
       only valid in the OUTPUT chain, and even this some packets
       (such as ICMP ping responses) may have no owner, and hence
       never match.

       --uid-owner userid
              Matches if the packet was created by a process with
              the given effective user id.

       --gid-owner groupid
              Matches if the packet was created by a process with
              the given effective group id.

       --pid-owner processid
              Matches if the packet was created by a process with
              the given process id.

       --sid-owner sessionid
              Matches  if  the packet was created by a process in
              the given session group.

Just a fyi!

 

[ericbrunson]

Very interesting, Marsd, I wasn't aware of that.