restricting ssh login based on IP
Rafael Skodlar
raffi at linwin.com
Sat Feb 26 18:37:09 UTC 2011
On 02/26/2011 12:09 AM, Dan Sheffner wrote:
> Like Michael said I would accomplish this with two users. Just off the
> top of my head I would do:
>
> user 1) has full read/write access to /home/user1
> user 2) has read only access to /home/user2
>
> schedule cron to rsync from /home/user1 to /home/user2 and make
> everything read only for the /home/user2.
>
> Dan
Not knowing what exactly you are trying to achieve, it's hard to give
you a specific answer.
Like others have suggested, you seem to try to complicate too much. To
add to Dan's suggestion; you can have login setup for unlimited number
of users to share the same home directory. Depending on the group
permissions you can restrict access rights to different users.
However, to limit abilities of each user to "do things on the same
files" you would need to use a different shell.
For example:
-- User-- -- Group--
user1 group1
user2 group2
user3 group2
user4 group3
user1:x:1000:1000:User One,,,:/home/user1:/bin/bash
user2:x:1001:1005:User One,,,:/home/user1:/bin/bash
user3:x:1002:1005:User One,,,:/home/user1:/bin/rsh
user4:x:1003:1005:User One,,,:/home/user4:/usr/local/bin/script
^ ^
| |
UID ------| |
GID -----------|
Permissions for user1 home directory (or any other directory!)
drwxr-x--- group1 /home/user1
has read, write, and execute access to everything
user2 is in group2 (GID) so it has read and execute access in /home/user1
user3 has also read and execute access in /home/user1 but has a
restricted shell. Note that rsh is a name for different shells to make
it more confusing.
user4 would only be able to run a certain script that would "do things
on user1's files". /usr/local/bin/script could be any program including
GUI. Not the most elegant but certainly possible.
Assuming you are doing this on LAN, you could simply use NFS to restrict
users to read only from systems with particular IPs.
Note that "home directory" is nothing special. It's just a place where
user is put in during login by what is specified in the /etc/passwd
file. That's why two user system suggested by Dan is the easiest to do.
The above are not the only options and you don't need to restrict
yourself to ssh protocol. If you want a user from a specific address to
only see files on another system you could run web server in either http
or https mode and setup appropriate authentication to connect.
To get to your original request, you could use ssh_config and it's
option LocalCommand. I haven't tried it, but if I understand this
correctly, you could execute command, a restricted shell for example,
as soon as you login. Check man pages.
Note that user1 on 192.168.1.2 could be put in different group than
user1 on 192.168.1.1. If you used sshfs and remapped user/group ID, you
could make it read only.
sshfs is the best way to mount whatever directory from a remote system
to a local one as it provides "instant effect" in file changes unlike
rsync sftp etc.
In general, it's better to have "data files" elsewhere than home
directory as that makes it easier to put restrictions on their
permissions including chroot. Why give somebody read only access to your
home if you don't trust them in the first place? That's pry bar in the door.
I believe that a setup with two different logins and "dedicated data
area" outside user home directory is the safest and the easiest to do.
Not only that, it prevents your big security hole. Just because you
restrict _user1_ from 192.168.1.2 to a read only mode, nothing (?)
prevents that same user to go from 192.168.1.2 to 192.168.1.15 and hop
to 192.168.1.1.
Two users sharing an account on any system connected to the Internet is
like sharing used shorts.
> On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet <Michael.Zoet at zoet.de
> <mailto:Michael.Zoet at zoet.de>> wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 26.02.2011 06 <tel:26.02.2011%2006>:32, schrieb Tapas Mishra:
> > Hi,
>
> Hi Tapas,
>
> >
> > I would like to allow a user to login through SSH but with different
> > permission coming from different ipaddress.
> >
> > For example, a user "tester" login to SSH through 192.168.1.1 and
> > another user login with the same login id "tester" but from different
> > ip 192.168.1.2.
> >
> > How do I restrict 192.168.1.2 to only allow for viewing the
> content in
> > the home directory while giving 192.168.1.1 full access?
>
> Why do you have to use the same user? Viewing the contents of a
> directory has nothing to do with SSH and you need to use some other
> methods. So using different users to login would be the easiest to
> accomplish this. Then you need only to change the permissions on the
> filesystem. And if you are using POSIX ACLs you have more options than
> you will ever need for this situation. Keep it simple is the best way
> for system administration.
>
>
> >
> >
> > I got a suggestion from some one
> >
> > Approach 1)
> > Based on the ip you change the shell. If it's just for read only a
> > jail would be fine.
> >
> > but how do I change shell based on IP?
> >
> > Approach 2)
> >
> > to have two ssh instances. Let's say port 22 and port 24. Port 22 is
> > for read only, while port 24 is for full access
> >
> > so how can it be possible to give port 22 only read only access
> to SSH
> >
> >
>
> Maybe you can tweak PAM and do some shell scripting to achieve both
> aproaches. But why? If you do it not right you might break your
> system. I really do not know what this could be good for... Using 2
> users is the easiest way.
>
> Bye,
>
> Michael
More information about the ubuntu-server
mailing list