 | | | restrict remote logins to service accounts. | restrict remote logins to service accounts. 2006-01-17 - By David.Knight@(protected)
Back
I'm not sure I could push this product into production here as there is
little to no support / Life cycle management for it. They are pretty
strict about that kind of stuff here. Here is a bit from the FAQ that I
thought was interesting:
Q: Why did you write this software?
A: Mainly, because the question of how to restrict access to scp or sftp
only kept coming up on a few different mailing lists I was on at the
time... Several people made some suggestions (like using a shell script as
the user's shell) which sort of work, but aren't terribly secure or
reliable. The commercial SSH product has a program to do this, but OpenSSH
does not. Joe Boyle has a similar program called scponly, which at the
time I looked at it had some security problems, though they have since
been fixed... It does currently have some functionality that rssh does not
(namely it works with WinSCP; see below), and some that it never will have
(more on that in a moment). Obviously I prefer the way I've implemented my
program, or else I wouldn't have written it. =8^)
So I guess my question is a fairly common one. But this is what I am
looking for.
Thanks for the help!
David Knight
"Michael Sobotta" <michael.sobotta@(protected)>
Sent by: taroon-list-bounces@(protected)
01/17/2006 10:15 AM
Please respond to "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>
cc:
Subject: RE: restrict remote logins to service accounts.
We've had success creating accounts that are only able to sftp to a
machine using a handy little program called rssh
(http://www.pizzashack.org/rssh/). You will be able to configure this so
your service accounts can only scp to a machine and not ssh and/or sftp.
__ ____ ____ ____ ____ ____ ____
From: taroon-list-bounces@(protected)
[mailto:taroon-list-bounces@(protected)] On Behalf Of
David.Knight@(protected)
Sent: Tuesday, January 17, 2006 15:36
To: taroon-list@(protected)
Subject: restrict remote logins to service accounts.
All,
I have an issue with Admins/DBA's logging into my servers directly as
service accounts such as user 'oracle'. I have had a hard time getting
people to adopt the use of sudo. I am at the point where I need to
restrict direct logins to these accounts. My goal is to force people to
sudo to the service accounts from there assigned user account. I only
allow ssh/scp connections to my servers. I have tried the sshd.config
option "AllowUsers" but this also restricts scp logins. I can;t restrict
this for automated processes run under the service accounts use scp. So
the only thing I need to restrict is direct remote "ssh" logins.
Any suggestions would be great.
-David Knight
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
<br><font size=2 face="sans-serif">I'm not sure I could push this product
into production here as there is little to no support / Life cycle management
for it. They are pretty strict about that kind of stuff here. Here
is a bit from the FAQ that I thought was interesting:</font>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=100%><font size=3 color=#000030><b>Q: Why did you write this
software?</b></font>
<p><font size=3 color=#000030>A: Mainly, because the question of how to
restrict access to scp or sftp only kept coming up on a few different mailing
lists I was on at the time... Several people made some suggestions (like
using a shell script as the user's shell) which sort of work, but aren't
terribly secure or reliable. The commercial SSH product has a program to
do this, but OpenSSH does not. Joe Boyle has a similar program called </font><a
href=http://www.sublimation.org/scponly/><font size=3 color=blue><u>scponly</u>
</font></a><font size=3 color=#000030>,
which at the time I looked at it had some security problems, though they
have since been fixed... It does currently have some functionality that
rssh does not (namely it works with WinSCP; see below), and some that it
never will have (more on that in a moment). Obviously I prefer the way
I've implemented my program, or else I wouldn't have written it.
=8^)</font></table>
<br>
<br>
<br><font size=2 face="sans-serif">So I guess my question is a fairly common
one. But this is what I am looking for. </font>
<br><font size=2 face="sans-serif">Thanks for the help!</font>
<br><font size=2 face="sans-serif">David Knight</font>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>"Michael Sobotta" <michael
.sobotta@(protected)></b></font>
<br><font size=1 face="sans-serif">Sent by: taroon-list-bounces@(protected)<
/font>
<p><font size=1 face="sans-serif">01/17/2006 10:15 AM</font>
<br><font size=1 face="sans-serif">Please respond to "Discussion of
Red Hat Enterprise Linux 3 (Taroon)"</font>
<td><font size=1 face="Arial"> </font>
<br><font size=1 face="sans-serif"> To:
"Discussion of Red Hat Enterprise
Linux 3 (Taroon)" <taroon-list@(protected)></font>
<br><font size=1 face="sans-serif"> cc:
</font>
<br><font size=1 face="sans-serif"> Subject:
RE: restrict remote logins to service
accounts.</font></table>
<br>
<br>
<br><font size=2><tt>We've had success creating accounts that are only
able to sftp to a<br>
machine using a handy little program called rssh<br>
(http://www.pizzashack.org/rssh/). You will be able to configure this so<br>
your service accounts can only scp to a machine and not ssh and/or sftp.<br>
<br>
__ ____ ____ ____ ____ ____ ____<br>
<br>
From: taroon-list-bounces@(protected)<br>
[mailto:taroon-list-bounces@(protected)] On Behalf Of<br>
David.Knight@(protected)<br>
Sent: Tuesday, January 17, 2006 15:36<br>
To: taroon-list@(protected)<br>
Subject: restrict remote logins to service accounts.<br>
<br>
<br>
<br>
All, <br>
I have an issue with Admins/DBA's logging into my servers directly as<br>
service accounts such as user 'oracle'. I have had a hard time getting<br>
people to adopt the use of sudo. I am at the point where I need to<br>
restrict direct logins to these accounts. My goal is to force people to<br>
sudo to the service accounts from there assigned user account. I only<br>
allow ssh/scp connections to my servers. I have tried the sshd.config<br>
option "AllowUsers" but this also restricts scp logins. I can;t
restrict<br>
this for automated processes run under the service accounts use scp. So<br>
the only thing I need to restrict is direct remote "ssh" logins.
<br>
Any suggestions would be great. <br>
<br>
-David Knight<br>
<br>
--<br>
Taroon-list mailing list<br>
Taroon-list@(protected)<br>
https://www.redhat.com/mailman/listinfo/taroon-list<br>
</tt></font>
<br>
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
|