Re: restricting ssh login based on IP

2011-03-01 Thread Rafael Skodlar 

On 02/26/2011 12:09 AM, Dan Sheffner wrote:

Like Michael said I would accomplish this with two users.  Just off the
top of my head I would do:

user 1) has full read/write access to /home/user1
user 2) has read only access to /home/user2

schedule cron to rsync from /home/user1 to /home/user2 and make
everything read only for the /home/user2.

Dan


Not knowing what exactly you are trying to achieve, it's hard to give 
you a specific answer.


Like others have suggested, you seem to try to complicate too much. To 
add to Dan's suggestion; you can have login setup for unlimited number 
of users to share the same home directory. Depending on the group 
permissions you can restrict access rights to different users.


However, to limit abilities of each user to "do things on the same 
files" you would need to use a different shell.


For example:
-- User-- -- Group--
user1 group1
user2 group2
user3 group2
user4 group3

user1:x:1000:1000:User One,,,:/home/user1:/bin/bash
user2:x:1001:1005:User One,,,:/home/user1:/bin/bash
user3:x:1002:1005:User One,,,:/home/user1:/bin/rsh
user4:x:1003:1005:User One,,,:/home/user4:/usr/local/bin/script
  ^^
  ||
UID --||
GID ---|

Permissions for user1 home directory (or any other directory!)
drwxr-x--- group1 /home/user1
has read, write, and execute access to everything

user2 is in group2 (GID) so it has read and execute access in /home/user1

user3 has also read and execute access in /home/user1 but has a 
restricted shell. Note that rsh is a name for different shells to make 
it more confusing.


user4 would only be able to run a certain script that would "do things 
on user1's files". /usr/local/bin/script could be any program including 
GUI. Not the most elegant but certainly possible.


Assuming you are doing this on LAN, you could simply use NFS to restrict 
users to read only from systems with particular IPs.


Note that "home directory" is nothing special. It's just a place where 
user is put in during login by what is specified in the /etc/passwd 
file. That's why two user system suggested by Dan is the easiest to do.


The above are not the only options and you don't need to restrict 
yourself to ssh protocol. If you want a user from a specific address to 
only see files on another system you could run web server in either http 
or https mode and setup appropriate authentication to connect.


To get to your original request, you could use ssh_config and it's 
option LocalCommand. I haven't tried it, but if I understand this 
correctly, you could execute command, a restricted shell for example, 
as soon as you login. Check man pages.


Note that user1 on 192.168.1.2 could be put in different group than 
user1 on 192.168.1.1. If you used sshfs and remapped user/group ID, you 
could make it read only.


sshfs is the best way to mount whatever directory from a remote system 
to a local one as it provides "instant effect" in file changes unlike 
rsync sftp etc.


In general, it's better to have "data files" elsewhere than home 
directory as that makes it easier to put restrictions on their 
permissions including chroot. Why give somebody read only access to your 
home if you don't trust them in the first place? That's pry bar in the door.


I believe that a setup with two different logins and "dedicated data 
area" outside user home directory is the safest and the easiest to do. 
Not only that, it prevents your big security hole. Just because you 
restrict _user1_ from 192.168.1.2 to a read only mode, nothing (?) 
prevents that same user to go from 192.168.1.2 to 192.168.1.15 and hop 
to 192.168.1.1.


Two users sharing an account on any system connected to the Internet is 
like sharing used shorts.



On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet mailto:michael.z...@zoet.de>> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 26.02.2011 06 :32, schrieb Tapas Mishra:
 > Hi,

Hi Tapas,

 >
 > I would like to allow a user to login through SSH but with different
 > permission coming from different ipaddress.
 >
 > For example, a user "tester" login to SSH through 192.168.1.1 and
 > another user login with the same login id "tester" but from different
 > ip 192.168.1.2.
 >
 > How do I restrict 192.168.1.2 to only allow for viewing the
content in
 > the home directory while giving 192.168.1.1 full access?

Why do you have to use the same user? Viewing the contents of a
directory has nothing to do with SSH and you need to use some other
methods. So using different users to login would be the easiest to
accomplish this. Then you need only to change the permissions on the
filesystem. And if you are using POSIX ACLs you have more options than
you will ever need for this situation. Keep it simple is the best way
for system administration.


 >
 >
 > I got a suggestion from some one
 >
 > Approach 1)
 >

Re: restricting ssh login based on IP

2011-02-28 Thread Tapas Mishra 
On Mon, Feb 28, 2011 at 7:36 PM, Scott Moser  wrote:
> On Mon, 28 Feb 2011, Serge E. Hallyn wrote:
>
>> Quoting Michael Zoet (michael.z...@zoet.de):
>> >
>> > -BEGIN PGP SIGNED MESSAGE-
>> > Hash: SHA1
>> >
>> > Am 26.02.2011 10:21, schrieb Tapas Mishra:
>> > > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner  
>> > > wrote:
>> > >> Like Michael said I would accomplish this with two users. Just off the 
>> > >> top
>> > >> of my head I would do:
>> > > No not two users it has to be same user who has to be restricted based
>> > > on IP from which he logs in.
>> >
>> > Normally I would say it is impossible, but I do not know everything
>> > about PAM, jails and so on. The file system persmissions are not based
>> > on the IP a user came from, so you need to tweak a lot! If I really
>> > had to do such things I would write a shell script that looks up from
>> > where the user came and setup the enviromnet accordingly and make this
>> > shell script the login shell. But this is lot of work and someone has
>> > to be very carefull...
>>
>> Right - giving details to match those in the requirements :), two ways
>> you could do this include (1) creating a container for the readonly
>> user, give it the second IP (or fwd the second IP to it), and make
>> /home/$user a recursive readonly bind mount of the real home.  And
>> (2) you could presumably use an apparmor rule.  First thought is
>> write your own trivial pam module to set the user's apparmor context
>> based on login.
>
> I've done something like this before, jailing into a given root based on a
> login name.  There was really only 1 user, but 2 entries in /etc/passwd, so
> you could get in as 'user-jailed' or 'user'.  or some such.  The key was
> that the user had their shell in /etc/passwd as '/bin/my-jail-user' or
> something like that.  That was a program that decided to jail or not and
> then executed the appropriate "real" shell.
>
> I think that you could probably do something like this.  The only thing
> I'm not really sure how to do with more digging is to find the source IP
> address of the ssh connection.  I'm sure it can be done.
>
Thanks for this information.

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-28 Thread Scott Moser 
On Mon, 28 Feb 2011, Serge E. Hallyn wrote:

> Quoting Michael Zoet (michael.z...@zoet.de):
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Am 26.02.2011 10:21, schrieb Tapas Mishra:
> > > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner  wrote:
> > >> Like Michael said I would accomplish this with two users. Just off the 
> > >> top
> > >> of my head I would do:
> > > No not two users it has to be same user who has to be restricted based
> > > on IP from which he logs in.
> >
> > Normally I would say it is impossible, but I do not know everything
> > about PAM, jails and so on. The file system persmissions are not based
> > on the IP a user came from, so you need to tweak a lot! If I really
> > had to do such things I would write a shell script that looks up from
> > where the user came and setup the enviromnet accordingly and make this
> > shell script the login shell. But this is lot of work and someone has
> > to be very carefull...
>
> Right - giving details to match those in the requirements :), two ways
> you could do this include (1) creating a container for the readonly
> user, give it the second IP (or fwd the second IP to it), and make
> /home/$user a recursive readonly bind mount of the real home.  And
> (2) you could presumably use an apparmor rule.  First thought is
> write your own trivial pam module to set the user's apparmor context
> based on login.

I've done something like this before, jailing into a given root based on a
login name.  There was really only 1 user, but 2 entries in /etc/passwd, so
you could get in as 'user-jailed' or 'user'.  or some such.  The key was
that the user had their shell in /etc/passwd as '/bin/my-jail-user' or
something like that.  That was a program that decided to jail or not and
then executed the appropriate "real" shell.

I think that you could probably do something like this.  The only thing
I'm not really sure how to do with more digging is to find the source IP
address of the ssh connection.  I'm sure it can be done.

Like everyone else, I'm intrigued by what you're wanting to do, and would
like more info.  It seems like whatever you do here is really a hack that
will quite likely bite you later.

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-28 Thread Serge E. Hallyn 
Quoting Michael Zoet (michael.z...@zoet.de):
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Am 26.02.2011 10:21, schrieb Tapas Mishra:
> > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner  wrote:
> >> Like Michael said I would accomplish this with two users. Just off the top
> >> of my head I would do:
> > No not two users it has to be same user who has to be restricted based
> > on IP from which he logs in.
> 
> Normally I would say it is impossible, but I do not know everything
> about PAM, jails and so on. The file system persmissions are not based
> on the IP a user came from, so you need to tweak a lot! If I really
> had to do such things I would write a shell script that looks up from
> where the user came and setup the enviromnet accordingly and make this
> shell script the login shell. But this is lot of work and someone has
> to be very carefull...

Right - giving details to match those in the requirements :), two ways
you could do this include (1) creating a container for the readonly
user, give it the second IP (or fwd the second IP to it), and make
/home/$user a recursive readonly bind mount of the real home.  And
(2) you could presumably use an apparmor rule.  First thought is
write your own trivial pam module to set the user's apparmor context
based on login.

-serge

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-27 Thread Tapas Mishra 
On Sun, Feb 27, 2011 at 7:23 AM, Steven Miano  wrote:

> If you can do it with two users, this would be a good time to use the
> permission system.
>
> Owner having 7 (read/write/execute), and Group having 5 (read and
> execute).
>
> I think everyone on the list would like to know the reasoning behind using
> the same user account.
>
It is a requirement of one of my projects.
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-26 Thread C S Shyam Sundar 
>
> 2011/2/27 Steven Miano 
>
> I think everyone on the list would like to know the reasoning behind using
>> the same user account.
>>
>> +1
>
>
Tapas, can you please give us an bigger picture of why you want to do this ?
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-26 Thread C S Shyam Sundar 
2011/2/27 Steven Miano 

> I think everyone on the list would like to know the reasoning behind using
> the same user account.
>
> +1

Can you please give us an bigger picture of why you want to do this ?
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-26 Thread Steven Miano 
If you can do it with two users, this would be a good time to use the
permission system.

Owner having 7 (read/write/execute), and Group having 5 (read and execute).

I think everyone on the list would like to know the reasoning behind using
the same user account.

On Sat, Feb 26, 2011 at 04:31, Michael Zoet  wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Am 26.02.2011 10:21, schrieb Tapas Mishra:
> > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner 
> wrote:
> >> Like Michael said I would accomplish this with two users. Just off the
> top
> >> of my head I would do:
> > No not two users it has to be same user who has to be restricted based
> > on IP from which he logs in.
>
> Normally I would say it is impossible, but I do not know everything
> about PAM, jails and so on. The file system persmissions are not based
> on the IP a user came from, so you need to tweak a lot! If I really
> had to do such things I would write a shell script that looks up from
> where the user came and setup the enviromnet accordingly and make this
> shell script the login shell. But this is lot of work and someone has
> to be very carefull...
>
> Michael
>
>
>
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1oyIAACgkQBvfZ5167qr/7vwCgziXRzhrZQ/85Sd7k6a0/+owh
> +JwAoIPnp+SqEKzSHBCEaMDQ+1pDoUF2
> =2fWg
> -END PGP SIGNATURE-
>
>
> --
> ubuntu-server mailing list
> ubuntu-server@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>



-- 
Miano, Steven M.
   727.244.9990
   

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-26 Thread Michael Zoet 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 26.02.2011 10:21, schrieb Tapas Mishra:
> On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner  wrote:
>> Like Michael said I would accomplish this with two users. Just off the top
>> of my head I would do:
> No not two users it has to be same user who has to be restricted based
> on IP from which he logs in.

Normally I would say it is impossible, but I do not know everything
about PAM, jails and so on. The file system persmissions are not based
on the IP a user came from, so you need to tweak a lot! If I really
had to do such things I would write a shell script that looks up from
where the user came and setup the enviromnet accordingly and make this
shell script the login shell. But this is lot of work and someone has
to be very carefull...

Michael





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1oyIAACgkQBvfZ5167qr/7vwCgziXRzhrZQ/85Sd7k6a0/+owh
+JwAoIPnp+SqEKzSHBCEaMDQ+1pDoUF2
=2fWg
-END PGP SIGNATURE-


-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-26 Thread Tapas Mishra 
On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner  wrote:
> Like Michael said I would accomplish this with two users.  Just off the top
> of my head I would do:
No not two users it has to be same user who has to be restricted based
on IP from which he logs in.
I need some more information on PAM approach if some one can give
about it which direction should I be heading for that approach.
> user 1) has full read/write access to /home/user1
> user 2) has read only access to /home/user2
>
> schedule cron to rsync from /home/user1 to /home/user2 and make everything
> read only for the /home/user2.
>
> Dan
>
> On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet  wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Am 26.02.2011 06:32, schrieb Tapas Mishra:
>> > Hi,
>>
>> Hi Tapas,
>>
>> >
>> > I would like to allow a user to login through SSH but with different
>> > permission coming from different ipaddress.
>> >
>> > For example, a user "tester" login to SSH through 192.168.1.1 and
>> > another user login with the same login id "tester" but from different
>> > ip 192.168.1.2.
>> >
>> > How do I restrict 192.168.1.2 to only allow for viewing the content in
>> > the home directory while giving 192.168.1.1 full access?
>>
>> Why do you have to use the same user? Viewing the contents of a
>> directory has nothing to do with SSH and you need to use some other
>> methods. So using different users to login would be the easiest to
>> accomplish this. Then you need only to change the permissions on the
>> filesystem. And if you are using POSIX ACLs you have more options than
>> you will ever need for this situation. Keep it simple is the best way
>> for system administration.
>>
>>
>> >
>> >
>> > I got a suggestion from some one
>> >
>> > Approach 1)
>> > Based on the ip you change the shell. If it's just for read only a
>> > jail would be fine.
>> >
>> > but how do I change shell based on IP?
>> >
>> > Approach 2)
>> >
>> > to have two ssh instances. Let's say port 22 and port 24. Port 22 is
>> > for read only, while port 24 is for full access
>> >
>> > so how can it be possible to give port 22 only read only access to SSH
>> >
>> >
>>
>> Maybe you can tweak PAM and do some shell scripting to achieve both
>> aproaches. But why? If you do it not right you might break your
>> system. I really do not know what this could be good for... Using 2
>> users is the easiest way.
>>
>> Bye,
>>
>> Michael
>>
>>
>>
>>
>>



-- 
http://mightydreams.blogspot.com

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-26 Thread Dan Sheffner 
Like Michael said I would accomplish this with two users.  Just off the top
of my head I would do:

user 1) has full read/write access to /home/user1
user 2) has read only access to /home/user2

schedule cron to rsync from /home/user1 to /home/user2 and make everything
read only for the /home/user2.

Dan

On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet  wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Am 26.02.2011 06:32, schrieb Tapas Mishra:
> > Hi,
>
> Hi Tapas,
>
> >
> > I would like to allow a user to login through SSH but with different
> > permission coming from different ipaddress.
> >
> > For example, a user "tester" login to SSH through 192.168.1.1 and
> > another user login with the same login id "tester" but from different
> > ip 192.168.1.2.
> >
> > How do I restrict 192.168.1.2 to only allow for viewing the content in
> > the home directory while giving 192.168.1.1 full access?
>
> Why do you have to use the same user? Viewing the contents of a
> directory has nothing to do with SSH and you need to use some other
> methods. So using different users to login would be the easiest to
> accomplish this. Then you need only to change the permissions on the
> filesystem. And if you are using POSIX ACLs you have more options than
> you will ever need for this situation. Keep it simple is the best way
> for system administration.
>
>
> >
> >
> > I got a suggestion from some one
> >
> > Approach 1)
> > Based on the ip you change the shell. If it's just for read only a
> > jail would be fine.
> >
> > but how do I change shell based on IP?
> >
> > Approach 2)
> >
> > to have two ssh instances. Let's say port 22 and port 24. Port 22 is
> > for read only, while port 24 is for full access
> >
> > so how can it be possible to give port 22 only read only access to SSH
> >
> >
>
> Maybe you can tweak PAM and do some shell scripting to achieve both
> aproaches. But why? If you do it not right you might break your
> system. I really do not know what this could be good for... Using 2
> users is the easiest way.
>
> Bye,
>
> Michael
>
>
>
>
>
>
>
>
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1otAgACgkQBvfZ5167qr9nZACfbeMQNGdRo+ELN8wB0GwZc12R
> fbYAnjoZwnAN+YpzhgcgjZwrAlFmK5jy
> =nExp
> -END PGP SIGNATURE-
>
>
> --
> ubuntu-server mailing list
> ubuntu-server@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: restricting ssh login based on IP

2011-02-26 Thread Michael Zoet 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am 26.02.2011 06:32, schrieb Tapas Mishra:
> Hi,

Hi Tapas,

>
> I would like to allow a user to login through SSH but with different
> permission coming from different ipaddress.
>
> For example, a user "tester" login to SSH through 192.168.1.1 and
> another user login with the same login id "tester" but from different
> ip 192.168.1.2.
>
> How do I restrict 192.168.1.2 to only allow for viewing the content in
> the home directory while giving 192.168.1.1 full access?

Why do you have to use the same user? Viewing the contents of a
directory has nothing to do with SSH and you need to use some other
methods. So using different users to login would be the easiest to
accomplish this. Then you need only to change the permissions on the
filesystem. And if you are using POSIX ACLs you have more options than
you will ever need for this situation. Keep it simple is the best way
for system administration.


>
>
> I got a suggestion from some one
>
> Approach 1)
> Based on the ip you change the shell. If it's just for read only a
> jail would be fine.
>
> but how do I change shell based on IP?
>
> Approach 2)
>
> to have two ssh instances. Let's say port 22 and port 24. Port 22 is
> for read only, while port 24 is for full access
>
> so how can it be possible to give port 22 only read only access to SSH
>
>

Maybe you can tweak PAM and do some shell scripting to achieve both
aproaches. But why? If you do it not right you might break your
system. I really do not know what this could be good for... Using 2
users is the easiest way.

Bye,

Michael










-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1otAgACgkQBvfZ5167qr9nZACfbeMQNGdRo+ELN8wB0GwZc12R
fbYAnjoZwnAN+YpzhgcgjZwrAlFmK5jy
=nExp
-END PGP SIGNATURE-


-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam