How to limit SSH access for one account to only 2 addresses?

Kernels & Hardware, configuring network, installing services

How to limit SSH access for one account to only 2 addresses?

Postby Woefdram » 2017-10-24 00:43

My monitoring system uses SSH to do its business. I want the managed servers to only accept this login from 2 addresses: the IPv4 and IPv6 address of my monitoring server. Seems simple, but I can't figure out how to make that work.

I've seen several threads about exactly this, such as this one, and I studied the manpage. What I think I should do, is tell SSH to deny this user if he's not coming from either of these 2 addresses.

These are the last lines in my sshd_config:
Code: Select all
Match Address !12.23.45.78
  DenyUsers nagios
Match Address !11:22:44:55::1
  DenyUsers nagios


But it doesn't seem to do a thing, because nagios can still login from any address.

Or it could even be simpler, without any Match element:
Code: Select all
DenyUsers nagios@!12.23.45.78 nagios@!11:22:44:55::1


Same result: nagios can login from anywhere. So I tried it the other way around: first denying access and then allowing for the 2 addresses:

Code: Select all
DenyUsers nagios

Match Address 12.23.45.78
  AllowUsers nagios

Match Address 11:22:44:55::1
  AllowUsers nagios


But now nagios can't login from any address. Moving the top line to the bottom doesn't change it either. Whatever I try, nagios can either login from anywhere or nowhere at all.

I'm sure it's something small, but I can't figure out how to make this work.

Anyone?
Woefdram
 
Posts: 6
Joined: 2017-10-24 00:17

Re: How to limit SSH access for one account to only 2 addres

Postby alan stone » 2017-10-24 07:33

Did you restart the SSH daemon service with: # service ssh restart or # systemctl restart ssh ?
Debian 8.9 32bit, WM: Openbox
Computers are like air conditioners. They work fine until you start opening windows. - Author Unknown
Programming is like sex. One mistake and you have to support it for the rest of your life. - Michael Sinz
User avatar
alan stone
 
Posts: 211
Joined: 2011-10-22 14:08
Location: In my body.

Re: How to limit SSH access for one account to only 2 addres

Postby Woefdram » 2017-10-24 19:06

Of course I did, otherwise it wouldn't change between all or nothing ;)
Woefdram
 
Posts: 6
Joined: 2017-10-24 00:17

Re: How to limit SSH access for one account to only 2 addres

Postby ralph.ronnquist » 2017-10-24 21:38

Presumably you've also verified that those IPv4/IPv6 addresses are the ones sshd sees.

It is confusing though, since your first code block should have resulted in always blocking out nagios, except if they always connected with those two addresses concurrently ... or maybe there's a more advanced logic behind it; one that considers or ignores match blocks based on the traffic protocol.

Otherwise, I think it should be a single match block including both the addresses, such as:
Code: Select all
Match Address !12.23.45.78,!11:22:44:55::1
    DenyUsers nagios

to make the "deny" apply when the input is neither that IPv4, nor that IPv6. As separate match blocks (i.e., your first code block), the tests would apply separately. Thus, as a disjunction rather than conjunction.

But given your test results, I wouldn't think this works either, and there's something else at play.
User avatar
ralph.ronnquist
 
Posts: 308
Joined: 2015-12-19 01:07
Location: Melbourne, Australia

Re: How to limit SSH access for one account to only 2 addres

Postby Woefdram » 2017-10-25 00:28

Yeah, the IPv4 is my external IP at home (my monitoring server is behind a NAT box). The IPv6 address is the other one, there's no NAT involved there of course. And when I log in, those are the addresses I see with "who --ips".

I'm pretty sure I tried the code you posted before, but just to make sure, I tried it again: nagios can login from anywhere... :?

What do you mean by connected concurrently?
Woefdram
 
Posts: 6
Joined: 2017-10-24 00:17

Re: How to limit SSH access for one account to only 2 addres

Postby ralph.ronnquist » 2017-10-25 02:15

What do you mean by connected concurrently?

I meant that the connection identified using both IPv4 and IPv6 at the same time. It can't of course, so please just ignore.

There is this bug report from many, many moons ago about match patterns being required to include a positive component in order to work. I.e., just negative addresses didn't work. You would try that by adding ,* to the IP list.
Code: Select all
Match Address !12.23.45.78,!11:22:44:55::1,*
    DenyUsers nagios
User avatar
ralph.ronnquist
 
Posts: 308
Joined: 2015-12-19 01:07
Location: Melbourne, Australia

Re: How to limit SSH access for one account to only 2 addres

Postby alan stone » 2017-10-25 02:44

Woefdram wrote:...otherwise it wouldn't change between all or nothing ;)

I was aware of that. However, as your post didn't mention which debian version you're running and the article referred to only included the first restart instruction, I was wondering which one you used and asked.
Debian 8.9 32bit, WM: Openbox
Computers are like air conditioners. They work fine until you start opening windows. - Author Unknown
Programming is like sex. One mistake and you have to support it for the rest of your life. - Michael Sinz
User avatar
alan stone
 
Posts: 211
Joined: 2011-10-22 14:08
Location: In my body.

Re: How to limit SSH access for one account to only 2 addres

Postby Woefdram » 2017-10-25 14:03

ralph.ronnquist wrote:
There is this bug report from many, many moons ago about match patterns being required to include a positive component in order to work. I.e., just negative addresses didn't work. You would try that by adding ,* to the IP list.
Code: Select all
Match Address !12.23.45.78,!11:22:44:55::1,*
    DenyUsers nagios


Thanks, that did the trick! I don't fully understand what happens here, but at least ssh finally does what I want it to.

If at least one positive component must be present, then this should work:

Code: Select all
DenyUsers nagios
Match Address 12.23.45.78,11:22:44:55::1
  AllowUsers nagios


But it doesn't. So I still don't really understand what's going on, but at least the negations+wildcard works.
Last edited by Woefdram on 2017-10-25 15:03, edited 3 times in total.
Woefdram
 
Posts: 6
Joined: 2017-10-24 00:17

Re: How to limit SSH access for one account to only 2 addres

Postby Woefdram » 2017-10-25 14:10

alan stone wrote:
Woefdram wrote:...otherwise it wouldn't change between all or nothing ;)

I was aware of that. However, as your post didn't mention which debian version you're running and the article referred to only included the first restart instruction, I was wondering which one you used and asked.


Always good to ask if something's unclear. I'm on Debian Testing (Buster, atm), using OpenSSH 7.6p1.

I quoted only one of several threads I had seen. They all described almost exactly the same things, and I think I tried about every combination possible: edit sshd_conf, restart ssh, test, repeat. To no avail, until ralph shared his knowledge :)
Woefdram
 
Posts: 6
Joined: 2017-10-24 00:17

Re: How to limit SSH access for one account to only 2 addres

Postby alan stone » 2017-10-25 15:20

ralph.ronnquist wrote:There is this bug report from many, many moons ago about match patterns being required to include a positive component in order to work.

That's fascinating! Patching a bug with a dose of optimistic autosuggestion. 8)

Woefdram wrote:... To no avail, until ralph shared his knowledge :)

Glad that worked out fine.
Debian 8.9 32bit, WM: Openbox
Computers are like air conditioners. They work fine until you start opening windows. - Author Unknown
Programming is like sex. One mistake and you have to support it for the rest of your life. - Michael Sinz
User avatar
alan stone
 
Posts: 211
Joined: 2011-10-22 14:08
Location: In my body.


Return to System configuration

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable