Re: restricting ssh login based on IP
On 02/26/2011 12:09 AM, Dan Sheffner wrote: Like Michael said I would accomplish this with two users. Just off the top of my head I would do: user 1) has full read/write access to /home/user1 user 2) has read only access to /home/user2 schedule cron to rsync from /home/user1 to /home/user2 and make everything read only for the /home/user2. Dan Not knowing what exactly you are trying to achieve, it's hard to give you a specific answer. Like others have suggested, you seem to try to complicate too much. To add to Dan's suggestion; you can have login setup for unlimited number of users to share the same home directory. Depending on the group permissions you can restrict access rights to different users. However, to limit abilities of each user to do things on the same files you would need to use a different shell. For example: -- User-- -- Group-- user1 group1 user2 group2 user3 group2 user4 group3 user1:x:1000:1000:User One,,,:/home/user1:/bin/bash user2:x:1001:1005:User One,,,:/home/user1:/bin/bash user3:x:1002:1005:User One,,,:/home/user1:/bin/rsh user4:x:1003:1005:User One,,,:/home/user4:/usr/local/bin/script ^^ || UID --|| GID ---| Permissions for user1 home directory (or any other directory!) drwxr-x--- group1 /home/user1 has read, write, and execute access to everything user2 is in group2 (GID) so it has read and execute access in /home/user1 user3 has also read and execute access in /home/user1 but has a restricted shell. Note that rsh is a name for different shells to make it more confusing. user4 would only be able to run a certain script that would do things on user1's files. /usr/local/bin/script could be any program including GUI. Not the most elegant but certainly possible. Assuming you are doing this on LAN, you could simply use NFS to restrict users to read only from systems with particular IPs. Note that home directory is nothing special. It's just a place where user is put in during login by what is specified in the /etc/passwd file. That's why two user system suggested by Dan is the easiest to do. The above are not the only options and you don't need to restrict yourself to ssh protocol. If you want a user from a specific address to only see files on another system you could run web server in either http or https mode and setup appropriate authentication to connect. To get to your original request, you could use ssh_config and it's option LocalCommand. I haven't tried it, but if I understand this correctly, you could execute command, a restricted shell for example, as soon as you login. Check man pages. Note that user1 on 192.168.1.2 could be put in different group than user1 on 192.168.1.1. If you used sshfs and remapped user/group ID, you could make it read only. sshfs is the best way to mount whatever directory from a remote system to a local one as it provides instant effect in file changes unlike rsync sftp etc. In general, it's better to have data files elsewhere than home directory as that makes it easier to put restrictions on their permissions including chroot. Why give somebody read only access to your home if you don't trust them in the first place? That's pry bar in the door. I believe that a setup with two different logins and dedicated data area outside user home directory is the safest and the easiest to do. Not only that, it prevents your big security hole. Just because you restrict _user1_ from 192.168.1.2 to a read only mode, nothing (?) prevents that same user to go from 192.168.1.2 to 192.168.1.15 and hop to 192.168.1.1. Two users sharing an account on any system connected to the Internet is like sharing used shorts. On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet michael.z...@zoet.de mailto:michael.z...@zoet.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 06 tel:26.02.2011%2006:32, schrieb Tapas Mishra: Hi, Hi Tapas, I would like to allow a user to login through SSH but with different permission coming from different ipaddress. For example, a user tester login to SSH through 192.168.1.1 and another user login with the same login id tester but from different ip 192.168.1.2. How do I restrict 192.168.1.2 to only allow for viewing the content in the home directory while giving 192.168.1.1 full access? Why do you have to use the same user? Viewing the contents of a directory has nothing to do with SSH and you need to use some other methods. So using different users to login would be the easiest to accomplish this. Then you need only to change the permissions on the filesystem. And if you are using POSIX ACLs you have more options than you will ever need for this situation. Keep it simple is the best way for system administration. I got a suggestion from some one Approach 1)
Re: restricting ssh login based on IP
Quoting Michael Zoet (michael.z...@zoet.de): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 10:21, schrieb Tapas Mishra: On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner dsheff...@gmail.com wrote: Like Michael said I would accomplish this with two users. Just off the top of my head I would do: No not two users it has to be same user who has to be restricted based on IP from which he logs in. Normally I would say it is impossible, but I do not know everything about PAM, jails and so on. The file system persmissions are not based on the IP a user came from, so you need to tweak a lot! If I really had to do such things I would write a shell script that looks up from where the user came and setup the enviromnet accordingly and make this shell script the login shell. But this is lot of work and someone has to be very carefull... Right - giving details to match those in the requirements :), two ways you could do this include (1) creating a container for the readonly user, give it the second IP (or fwd the second IP to it), and make /home/$user a recursive readonly bind mount of the real home. And (2) you could presumably use an apparmor rule. First thought is write your own trivial pam module to set the user's apparmor context based on login. -serge -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
On Mon, 28 Feb 2011, Serge E. Hallyn wrote: Quoting Michael Zoet (michael.z...@zoet.de): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 10:21, schrieb Tapas Mishra: On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner dsheff...@gmail.com wrote: Like Michael said I would accomplish this with two users. Just off the top of my head I would do: No not two users it has to be same user who has to be restricted based on IP from which he logs in. Normally I would say it is impossible, but I do not know everything about PAM, jails and so on. The file system persmissions are not based on the IP a user came from, so you need to tweak a lot! If I really had to do such things I would write a shell script that looks up from where the user came and setup the enviromnet accordingly and make this shell script the login shell. But this is lot of work and someone has to be very carefull... Right - giving details to match those in the requirements :), two ways you could do this include (1) creating a container for the readonly user, give it the second IP (or fwd the second IP to it), and make /home/$user a recursive readonly bind mount of the real home. And (2) you could presumably use an apparmor rule. First thought is write your own trivial pam module to set the user's apparmor context based on login. I've done something like this before, jailing into a given root based on a login name. There was really only 1 user, but 2 entries in /etc/passwd, so you could get in as 'user-jailed' or 'user'. or some such. The key was that the user had their shell in /etc/passwd as '/bin/my-jail-user' or something like that. That was a program that decided to jail or not and then executed the appropriate real shell. I think that you could probably do something like this. The only thing I'm not really sure how to do with more digging is to find the source IP address of the ssh connection. I'm sure it can be done. Like everyone else, I'm intrigued by what you're wanting to do, and would like more info. It seems like whatever you do here is really a hack that will quite likely bite you later. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
On Mon, Feb 28, 2011 at 7:36 PM, Scott Moser smo...@ubuntu.com wrote: On Mon, 28 Feb 2011, Serge E. Hallyn wrote: Quoting Michael Zoet (michael.z...@zoet.de): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 10:21, schrieb Tapas Mishra: On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner dsheff...@gmail.com wrote: Like Michael said I would accomplish this with two users. Just off the top of my head I would do: No not two users it has to be same user who has to be restricted based on IP from which he logs in. Normally I would say it is impossible, but I do not know everything about PAM, jails and so on. The file system persmissions are not based on the IP a user came from, so you need to tweak a lot! If I really had to do such things I would write a shell script that looks up from where the user came and setup the enviromnet accordingly and make this shell script the login shell. But this is lot of work and someone has to be very carefull... Right - giving details to match those in the requirements :), two ways you could do this include (1) creating a container for the readonly user, give it the second IP (or fwd the second IP to it), and make /home/$user a recursive readonly bind mount of the real home. And (2) you could presumably use an apparmor rule. First thought is write your own trivial pam module to set the user's apparmor context based on login. I've done something like this before, jailing into a given root based on a login name. There was really only 1 user, but 2 entries in /etc/passwd, so you could get in as 'user-jailed' or 'user'. or some such. The key was that the user had their shell in /etc/passwd as '/bin/my-jail-user' or something like that. That was a program that decided to jail or not and then executed the appropriate real shell. I think that you could probably do something like this. The only thing I'm not really sure how to do with more digging is to find the source IP address of the ssh connection. I'm sure it can be done. Thanks for this information. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
On Sun, Feb 27, 2011 at 7:23 AM, Steven Miano mian...@gmail.com wrote: If you can do it with two users, this would be a good time to use the permission system. Owner having 7 (read/write/execute), and Group having 5 (read and execute). I think everyone on the list would like to know the reasoning behind using the same user account. It is a requirement of one of my projects. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 06:32, schrieb Tapas Mishra: Hi, Hi Tapas, I would like to allow a user to login through SSH but with different permission coming from different ipaddress. For example, a user tester login to SSH through 192.168.1.1 and another user login with the same login id tester but from different ip 192.168.1.2. How do I restrict 192.168.1.2 to only allow for viewing the content in the home directory while giving 192.168.1.1 full access? Why do you have to use the same user? Viewing the contents of a directory has nothing to do with SSH and you need to use some other methods. So using different users to login would be the easiest to accomplish this. Then you need only to change the permissions on the filesystem. And if you are using POSIX ACLs you have more options than you will ever need for this situation. Keep it simple is the best way for system administration. I got a suggestion from some one Approach 1) Based on the ip you change the shell. If it's just for read only a jail would be fine. but how do I change shell based on IP? Approach 2) to have two ssh instances. Let's say port 22 and port 24. Port 22 is for read only, while port 24 is for full access so how can it be possible to give port 22 only read only access to SSH Maybe you can tweak PAM and do some shell scripting to achieve both aproaches. But why? If you do it not right you might break your system. I really do not know what this could be good for... Using 2 users is the easiest way. Bye, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1otAgACgkQBvfZ5167qr9nZACfbeMQNGdRo+ELN8wB0GwZc12R fbYAnjoZwnAN+YpzhgcgjZwrAlFmK5jy =nExp -END PGP SIGNATURE- -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner dsheff...@gmail.com wrote: Like Michael said I would accomplish this with two users. Just off the top of my head I would do: No not two users it has to be same user who has to be restricted based on IP from which he logs in. I need some more information on PAM approach if some one can give about it which direction should I be heading for that approach. user 1) has full read/write access to /home/user1 user 2) has read only access to /home/user2 schedule cron to rsync from /home/user1 to /home/user2 and make everything read only for the /home/user2. Dan On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet michael.z...@zoet.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 06:32, schrieb Tapas Mishra: Hi, Hi Tapas, I would like to allow a user to login through SSH but with different permission coming from different ipaddress. For example, a user tester login to SSH through 192.168.1.1 and another user login with the same login id tester but from different ip 192.168.1.2. How do I restrict 192.168.1.2 to only allow for viewing the content in the home directory while giving 192.168.1.1 full access? Why do you have to use the same user? Viewing the contents of a directory has nothing to do with SSH and you need to use some other methods. So using different users to login would be the easiest to accomplish this. Then you need only to change the permissions on the filesystem. And if you are using POSIX ACLs you have more options than you will ever need for this situation. Keep it simple is the best way for system administration. I got a suggestion from some one Approach 1) Based on the ip you change the shell. If it's just for read only a jail would be fine. but how do I change shell based on IP? Approach 2) to have two ssh instances. Let's say port 22 and port 24. Port 22 is for read only, while port 24 is for full access so how can it be possible to give port 22 only read only access to SSH Maybe you can tweak PAM and do some shell scripting to achieve both aproaches. But why? If you do it not right you might break your system. I really do not know what this could be good for... Using 2 users is the easiest way. Bye, Michael -- http://mightydreams.blogspot.com -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 10:21, schrieb Tapas Mishra: On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner dsheff...@gmail.com wrote: Like Michael said I would accomplish this with two users. Just off the top of my head I would do: No not two users it has to be same user who has to be restricted based on IP from which he logs in. Normally I would say it is impossible, but I do not know everything about PAM, jails and so on. The file system persmissions are not based on the IP a user came from, so you need to tweak a lot! If I really had to do such things I would write a shell script that looks up from where the user came and setup the enviromnet accordingly and make this shell script the login shell. But this is lot of work and someone has to be very carefull... Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1oyIAACgkQBvfZ5167qr/7vwCgziXRzhrZQ/85Sd7k6a0/+owh +JwAoIPnp+SqEKzSHBCEaMDQ+1pDoUF2 =2fWg -END PGP SIGNATURE- -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
If you can do it with two users, this would be a good time to use the permission system. Owner having 7 (read/write/execute), and Group having 5 (read and execute). I think everyone on the list would like to know the reasoning behind using the same user account. On Sat, Feb 26, 2011 at 04:31, Michael Zoet michael.z...@zoet.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.02.2011 10:21, schrieb Tapas Mishra: On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner dsheff...@gmail.com wrote: Like Michael said I would accomplish this with two users. Just off the top of my head I would do: No not two users it has to be same user who has to be restricted based on IP from which he logs in. Normally I would say it is impossible, but I do not know everything about PAM, jails and so on. The file system persmissions are not based on the IP a user came from, so you need to tweak a lot! If I really had to do such things I would write a shell script that looks up from where the user came and setup the enviromnet accordingly and make this shell script the login shell. But this is lot of work and someone has to be very carefull... Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1oyIAACgkQBvfZ5167qr/7vwCgziXRzhrZQ/85Sd7k6a0/+owh +JwAoIPnp+SqEKzSHBCEaMDQ+1pDoUF2 =2fWg -END PGP SIGNATURE- -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- Miano, Steven M. 727.244.9990 http://stevenmiano.com http://facebook.com/mianosm http://twitter.com/mianosm -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
2011/2/27 Steven Miano mian...@gmail.com I think everyone on the list would like to know the reasoning behind using the same user account. +1 Can you please give us an bigger picture of why you want to do this ? -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: restricting ssh login based on IP
2011/2/27 Steven Miano mian...@gmail.com I think everyone on the list would like to know the reasoning behind using the same user account. +1 Tapas, can you please give us an bigger picture of why you want to do this ? -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
restricting ssh login based on IP
Hi, I would like to allow a user to login through SSH but with different permission coming from different ipaddress. For example, a user tester login to SSH through 192.168.1.1 and another user login with the same login id tester but from different ip 192.168.1.2. How do I restrict 192.168.1.2 to only allow for viewing the content in the home directory while giving 192.168.1.1 full access? I got a suggestion from some one Approach 1) Based on the ip you change the shell. If it's just for read only a jail would be fine. but how do I change shell based on IP? Approach 2) to have two ssh instances. Let's say port 22 and port 24. Port 22 is for read only, while port 24 is for full access so how can it be possible to give port 22 only read only access to SSH -- http://mightydreams.blogspot.com -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam