hello

i want to config a ssh gateway between internet and my intranet:
the specifications are:
- a user from internet can not login the ssh_gateway
- some users (admins) from intranet can login the ssh_gateway

how can i do that ?
can i allow sshd to accept login only from an ip address range ?

is it more secure to only accept port forwarding on ssh_gateway ?

thanks

sylvain

Sylvain Ferriol <sferriol@imag.fr> writes:

> hello
>
> i want to config a ssh gateway between internet and my intranet:
> the specifications are:
> - a user from internet can not login the ssh_gateway
> - some users (admins) from intranet can login the ssh_gateway
>
> how can i do that ?
> can i allow sshd to accept login only from an ip address range ?
>
> is it more secure to only accept port forwarding on ssh_gateway ?

TCP Wrappers rather than an sshd config is the place to do this.

THe 30 second tutorial, assuming it's installed:

edit /etc/hosts.deny
Make this the one and only line:
sshd: ALL

Or, if you want to get more restrictive and don't host external
services on the box make that:
ALL:ALL

which denies everything by default except things specifically
allowed.

Next, edit /etc/hosts.allow

Add lines
sshd: ip.address.to.allow.here
sshd: ip.address2.to.allow.here
sshd: ip.address3.to.allow.here
sshd: ip.address4.to.allow.here
sshd: intranet.mycompany.com

Man hosts.allow for more details and different ways to specify ip
ranges and subnets. If your intranet hosts reverse resolve to a
consistent name e.g. host123.intranet.mycompany.com, then sshd:
intranet.mycompany.com would be your hosts.allow entry.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H. a écrit :
> Sylvain Ferriol <sferriol@imag.fr> writes:
>
>
>>hello
>>
>>i want to config a ssh gateway between internet and my intranet:
>>the specifications are:
>>- a user from internet can not login the ssh_gateway
>>- some users (admins) from intranet can login the ssh_gateway
>>
>>how can i do that ?
>>can i allow sshd to accept login only from an ip address range ?
>>
>>is it more secure to only accept port forwarding on ssh_gateway ?
>
>
> TCP Wrappers rather than an sshd config is the place to do this.
>
> THe 30 second tutorial, assuming it's installed:
>
> edit /etc/hosts.deny
> Make this the one and only line:
> sshd: ALL

the problem is that i want to allow port forwarding from internet to
intranet like this:
ssh -N -L 4444:foo_server:4444 sshd_gateway
>
> Or, if you want to get more restrictive and don't host external
> services on the box make that:
> ALL:ALL
>
> which denies everything by default except things specifically
> allowed.
>
> Next, edit /etc/hosts.allow
>
> Add lines
> sshd: ip.address.to.allow.here
> sshd: ip.address2.to.allow.here
> sshd: ip.address3.to.allow.here
> sshd: ip.address4.to.allow.here
> sshd: intranet.mycompany.com
>
> Man hosts.allow for more details and different ways to specify ip
> ranges and subnets. If your intranet hosts reverse resolve to a
> consistent name e.g. host123.intranet.mycompany.com, then sshd:
> intranet.mycompany.com would be your hosts.allow entry.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

Sylvain Ferriol <sferriol@imag.fr> writes:

> Todd H. a écrit :
> > Sylvain Ferriol <sferriol@imag.fr> writes:
> >
> >>hello
> >>
> >>i want to config a ssh gateway between internet and my intranet:
> >>the specifications are:
> >>- a user from internet can not login the ssh_gateway
> >>- some users (admins) from intranet can login the ssh_gateway
> >>
> >>how can i do that ?
> >>can i allow sshd to accept login only from an ip address range ?
> >>
> >>is it more secure to only accept port forwarding on ssh_gateway ?
> > TCP Wrappers rather than an sshd config is the place to do this. THe
> > 30 second tutorial, assuming it's installed: edit /etc/hosts.deny
> > Make this the one and only line: sshd: ALL
>
> the problem is that i want to allow port forwarding from internet to
> intranet like this:
> ssh -N -L 4444:foo_server:4444 sshd_gateway

Are your requirements are opposed to each other?

If you want to allow a forward connection from internet to intranet on
the gateway to set up that port forwarding, you can't prohibit "a user
from internet can not login the ssh_gateway."

Or are you saying you want to allow this port forwarding, but no
interactive login shells from internet users?

--
Todd H.
http://www.toddh.net/

Sylvain Ferriol <sferriol@imag.fr> writes:

>hello

>i want to config a ssh gateway between internet and my intranet:
>the specifications are:
>- a user from internet can not login the ssh_gateway
>- some users (admins) from intranet can login the ssh_gateway

>how can i do that ?
>can i allow sshd to accept login only from an ip address range ?

Use hosts.allow and only allow from the specific address range. ssh uses
tcpwrapper.


>is it more secure to only accept port forwarding on ssh_gateway ?

>thanks

>sylvain

Todd H. a écrit :
> Sylvain Ferriol <sferriol@imag.fr> writes:
>
>
>>Todd H. a écrit :
>>
>>>Sylvain Ferriol <sferriol@imag.fr> writes:
>>>
>>>
>>>>hello
>>>>
>>>>i want to config a ssh gateway between internet and my intranet:
>>>>the specifications are:
>>>>- a user from internet can not login the ssh_gateway
>>>>- some users (admins) from intranet can login the ssh_gateway
>>>>
>>>>how can i do that ?
>>>>can i allow sshd to accept login only from an ip address range ?
>>>>
>>>>is it more secure to only accept port forwarding on ssh_gateway ?
>>>
>>>TCP Wrappers rather than an sshd config is the place to do this. THe
>>>30 second tutorial, assuming it's installed: edit /etc/hosts.deny
>>>Make this the one and only line: sshd: ALL
>>
>>the problem is that i want to allow port forwarding from internet to
>>intranet like this:
>>ssh -N -L 4444:foo_server:4444 sshd_gateway
>
>
> Are your requirements are opposed to each other?
>
> If you want to allow a forward connection from internet to intranet on
> the gateway to set up that port forwarding, you can't prohibit "a user
> from internet can not login the ssh_gateway."
why ?
>
> Or are you saying you want to allow this port forwarding, but no
> interactive login shells from internet users?
>
yes

On 2006-09-21, Sylvain Ferriol <sferriol@imag.fr> wrote:
> Todd H. a écrit :
[...]
>> If you want to allow a forward connection from internet to intranet on
>> the gateway to set up that port forwarding, you can't prohibit "a user
>> from internet can not login the ssh_gateway."
> why ?
>>
>> Or are you saying you want to allow this port forwarding, but no
>> interactive login shells from internet users?
>>
> yes

There's a couple of new features in OpenSSH 4.4 (and newer) that could
here: "PermitOpen" which controls which portforwards are allowed and
"Match" which can apply those restrictions to a subset of connections.

So assuming your local net is 192.168.0.0/24 and you wanted to allow any
commands or forwards from connections originating from it, this would
be something like

Match Address 192.168.0.*
PermitOpen any

Match Address *
PermitOpen 1.2.3.4:44444

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.