tag:blogger.com,1999:blog-5617019537770140471.post1111213814167199132..comments2017-04-24T09:58:32.361-04:00Comments on darkphader's ramblings: Practice safe and secure SSH !Darkphaderhttp://www.blogger.com/profile/00522202035245685302noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-5617019537770140471.post-70213015839940848742011-03-01T10:22:38.457-05:002011-03-01T10:22:38.457-05:00==================
Match User chris, Address 192.1...==================<br />Match User chris, Address 192.168.0.9<br />PasswordAuthentication yes<br />==================<br />works fine here with version 5.8 (both Linux and OpenBSD), and although the man page(s) specifies comma separated lists (but space separated does work on my Linux box).<br />"RequiredAuthentications" is not a valid keyword in my versions and only a subset of available keywords can be used in the Match block.<br />However, my guess, since you're running Linux, is that you're being bitten by "UsePAM yes", change this to "UsePAM no" and let me know if your results are different.Darkphaderhttps://www.blogger.com/profile/00522202035245685302noreply@blogger.comtag:blogger.com,1999:blog-5617019537770140471.post-77551042896486946172011-02-28T17:11:11.354-05:002011-02-28T17:11:11.354-05:00Hello Darkphader,
Oh dear - every second comment ...Hello Darkphader,<br /><br />Oh dear - every second comment that I post is disappearing into the ether. Here's my original comment, as posted at 1:10 AM. A lot of this is wrong.<br /><br />---<br /><br /> Hi, and thanks for the tips. To specify more than one 'Match' condition in sshd_config, have one Match line following another. E.g.<br /><br /> Match User "bob"<br /> Match 192.168.0.1/24<br />^ [ WRONG!! ]<br /><br /> The sshd_config(5) manpage says that the tests stop at another Match line, so maybe I made a mistake here; I found that the conditions are ANDed and last until a 'Match' keyword on its own (or EOF). I have public-key authentication on my system and have disabled passwords to stop crackers, but I wanted to enable them for a secret 'emergency' account. I set it up to enable password authentication only for this account, and then set sudo to allow just the 'shutdown' or 'reboot' commands to be run (sudo's manpage is full of confusing BNF, but fortunately, it has lots of examples).<br /><br />I also have my sshd output a banner to connecting hosts, displaying a confusing mishmash of legal jargon. I've gradually added to this file over the days, and it now outputs half a screen of blurb before login. I admit, the usefulness of this feature is limited, since it serves more to annoy me than anything else. ;)<br /><br />---<br /><br />As stated, this is all wrong and I realised that it wasn't working when I tried to log into the 'secret account' from a host that should not have been allowed to login. Testing my OpenSSH (OpenSSH_5.3p1 Debian-3ubuntu5, OpenSSL 0.9.8k 25 Mar 2009) I found that if multiple Match tests are specified on one line, everything after the first test is disregarded. E.g. if I did this:<br /><br />Match User foo Address 192.168.0.1<br /><br />.. then 'User foo' would be matched, but the 'Address 192.168.0.1' test would be ignored. This makes me wonder if there's any way to have multiple tests in a Match line, or if it's just my version of ssh. I have found another blog that appears to show a multiple test, but it doesn't work on mine:<br /><br />[ http://www.gossamer-threads.com/lists/openssh/bugs/45881 ]<br /><br />---<br /><br /># allow admins from the dmz with pubkey and password<br />Match Group admins Address 1.2.3.0/24<br />RequiredAuthentications publickey,password<br /><br />---<br /><br />On my sshd, this will only match 'Group admins'.<br /><br />I hope that this helps - and warns of some of the pitfalls.<br /><br />Lexlexthehexhttp://brooknet.no-ip.com/noreply@blogger.com