# SSH with ACL's

## mauricec

Hi all,

I'm in the middle of an upgrade of UNIX systems at a customer, they have their users in /etc/passwd, and I need to change that.

They have just terminated telnet and ftp, so time for something new...

I want some advanced features for ssh, and I think ( hope ) it might already be there... 

What I need is that ssh client/server asks an authentication server if a specific operation for a particular user is allowed or denied.

If I have user Y and want to connect to server foo.com, then server bar.com needs to tell if that user is allowed to open shell or sftp only using public key or not.

There are many other options like X forwarding, tunneling, to and from specific ip's, remote command execution, compression that needs to be considered.

We also need a new user database to simplify the user management, so there will probably come an ldap backend for this.

It is about 50 servers and 400 users that need to use this mechanism.

The software should be running on serveral unix platforms like SunOS, AS400, redhat and Gentoo. So something compilable would be nice.

I found this http://penguin.fr/sshproxy/ already, but don't know if it is the right solution.

I also know that there is an package called BoKS, but cannot find it and is not for free.

Maybe you guys have some more alternatives.

----------

## krolden

I'm not sure it's possible to integrate all that functionality into SSH.

SSH with kerberos integration would allow you to log into the system whilst keeping user accounts and passwords centrally stored.  It will also be able to authenticate you to the available services.

 *Quote:*   

> The Secure Shell protocol provides a secure replacement for telnet, rsh, rcp, and ftp. Even without Kerberos, SSH can be used to have password-less remote login, using a RSA or DSS public key scheme. This doesn't require a central server, so it is very useful if you have to use many machines in different administrative zones. Kerberos on the other hand can give you access to many other services besides SSH with the same password.
> 
> There are two incompatible revisions of the SSH protocol, SSH1 and SSH2. Only the combination of SSH2 and Kerberos 5 is covered here.
> 
> SSH is both a remote network service and a point of initial login to a realm. As a result, there are several ways to use Kerberos with SSH. Password-less logins are supported through GSSAPI. Under certain circumstances, the Kerberos authentication also replaces SSH host key checking, because Kerberos always authenticates the service to the client as well as the client to the service. The Kerberos support in SSH also allows your TGT to be forwarded to the remote machine, so you can access further network services from the remote machine without entering your password as well.
> ...

 

If I have user Y and want to connect to server foo.com, then server bar.com needs to tell if that user is allowed to open shell or sftp only using public key or not.

For network based services you could use kerberos.

For local services (like using sftp and other binaries stored on the host) I believe this would not be possible.  You're best bet would probably be to implement Mandatory Access Controls (SELinux or Grsecurity) on the host.  You could use a version control system (like svn) to keep your configuration files consistent and stored in a centralised way.  All clients could update their working copy in a controlled fashion (cron or whatever).  Tunneling through ssh is also possible (svn+ssh or cvs+ssh) so you wouldn't need to worry about sending information in plain text.

Hope this helps.

----------

## mauricec

Still not entirely convinced  :Smile: 

Altough reading has given me some more in depth info about all this.... 

Thanks for the reply !

----------

## krolden

I admit it's not the most elegant solution, but I don't really see how one could restrict access to binaries on a particular host through kerberos or ldap.

----------

## mauricec

It's not really restricting access to binaries, but more the way if a user is allowed to connect with a certain method.

I want certain users to have shell only access, and other users sftp access. And other users should be denied X forwarding.

All that controlled from an backend machine.

That would be a great improvement for ssh, I think.

Maybe the kerberos+ssh is a good start  :Smile: 

----------

## nielchiano

 *mauricec wrote:*   

> I want certain users to have shell only access, and other users sftp access

 

I don't see the advantage of shell-only... you could just use

```
ssh user@machine "cat /path/to/file" > /tmp/file

cat /tmp/file | ssh user@machine "cat > /path/to/file"
```

and archive exactly the same...

----------

## nielchiano

when using public-key you CAN restrict some options in the authorized_keys:

```
from="10.0.1.2",no-X11-forwarding,no-agent-forwarding ssh-rsa AAA....rjgw== user@machine
```

man sshd for more details

further, you could set up something NIS-like (personally I use LDAP) and add the users to groups like "ssh_machinename" and tell the sshd from that machine to "AllowGroups ssh_machinename"

----------

## mauricec

Actually it all has to do with auditing.

3 times a year some auditors come to check out the complete computer environment.

I want to have a security level so high that they don't bother me for a few years.

And yes I know that catting and piping could do it, but database files and binaries are useless if you do that like that.

And I see that a lot of large organisations are struggeling with this issue. They do need an higher level of access control

----------

## nielchiano

 *mauricec wrote:*   

> And yes I know that catting and piping could do it, but database files and binaries are useless if you do that like that.

 

actually it will work exactly as sftp... and it won't choke on binaries, since the ssh-pipe is 8bit-clean.

databases won't be a problem either (unless they're online, but then sftp won't work either)

what's wrong with the LDAP-thing I mentioned?

----------

## mauricec

```
from="10.0.1.2",no-X11-forwarding,no-agent-forwarding ssh-rsa AAA....rjgw== user@machine
```

That would be great if it could be read from some kind of database backend  :Smile:  instead of plain files stored locally..

so something like this...

```
from=mysql://SSHDB,ACL,"10.0.1.2",no-X11-forwarding,no-agent-forwarding ssh-rsa AAA....rjgw== user@machine
```

Or am i thinking strange things .... ( and yes I know syntax is totally wrong ... )[/code]

----------

## nielchiano

 *mauricec wrote:*   

> That would be great if it could be read from some kind of database backend  instead of plain files stored locally..
> 
> so something like this...

 

I'm not sure about a database backend... but you could rig something together:

have each server configured to get the authorized_keys file from /mnt/network-share/mymachinename/...

then, configure your DB as you wish and have it auto-create (eg every night/hour/second) those files.

(alternatively, have the DB ssh/ftp those files to the machines)

I'm sure that this is far from an elegant setup, but hey, it can even work

----------

## mauricec

I must admit that could work, but not easy to maintain in an big environment...

It is easy for the users to modify their authorized_keys and that is not good if I want to enforce an policy.

And then again ... I have to maintain all those files... I don't think that's an option  :Smile: 

----------

