Differences
This shows you the differences between two versions of the page.
abstract:darwin:security:ssh [2021-09-13 11:27] – created pdw | abstract:darwin:security:ssh [2021-09-13 13:25] (current) – pdw | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== SSH ====== | ====== SSH ====== | ||
+ | |||
+ | ===== PAM rhostfilter ===== | ||
+ | |||
+ | Some of our users desired a way by which they could exercise some self-service control over SSH connections made to their accounts on servers. With fixed IP addresses from which they would be connecting, a simple allow/deny by address or subnet was desirable. | ||
+ | |||
+ | Thus, a [[https:// | ||
+ | |||
+ | ==== Configuration file ==== | ||
+ | |||
+ | By default, the plugin looks for a file named '' | ||
+ | |||
+ | - Owned by the user | ||
+ | - Have no read, write, or execute permissions to group or other users | ||
+ | |||
+ | The same mandates exist for many of the ssh configuration files. | ||
+ | |||
+ | === Comments === | ||
+ | |||
+ | The file may contain comments, delimited by a hash (#) character. All characters from the hash to the end o the line are discarded by the parser. | ||
+ | |||
+ | === Whitespace === | ||
+ | |||
+ | Whitespace is not significant in the file. | ||
+ | |||
+ | === Rules === | ||
+ | |||
+ | There are three rule types accepted. | ||
+ | |||
+ | == Default == | ||
+ | |||
+ | The '' | ||
+ | |||
+ | < | ||
+ | # | ||
+ | # rhostfilter config file | ||
+ | # | ||
+ | Default Allow | ||
+ | </ | ||
+ | |||
+ | The only other acceptable default disposition is '' | ||
+ | |||
+ | == Deny == | ||
+ | |||
+ | Access to specific hosts (by name or IP address) or entire subnets (by IP address and prefix) can be prohibited using a '' | ||
+ | |||
+ | < | ||
+ | # | ||
+ | # rhostfilter config file | ||
+ | # | ||
+ | Default Allow | ||
+ | |||
+ | # Deny a hostname -- effectively all A/AAAA addresses for that name in DNS: | ||
+ | Deny badhost.hacker.org | ||
+ | |||
+ | # Deny two IPv4 subnets: | ||
+ | Deny 10.1.1.0/24 192.168.56.128/ | ||
+ | |||
+ | # Deny an IPv6 address (google.com): | ||
+ | Deny 2607: | ||
+ | </ | ||
+ | |||
+ | == Allow == | ||
+ | |||
+ | When the default is set to '' | ||
+ | |||
+ | === Advanced configurations === | ||
+ | |||
+ | The '' | ||
+ | |||
+ | Since the rules are processed in sequence and processing ends on the first match, rule ordering can be important. With a default disposition of '' | ||
+ | |||
+ | < | ||
+ | |||
+ | # | ||
+ | # rhostfilter config file | ||
+ | # | ||
+ | Default Allow | ||
+ | |||
+ | #Deny a hostname -- effectively all A/AAAA addresses for that name in DNS: | ||
+ | Deny badhost.hacker.org | ||
+ | |||
+ | # A couple exceptions to the Deny rule that follows: | ||
+ | Allow 10.1.1.5 10.1.1.200 192.168.56.192 | ||
+ | |||
+ | # Deny two IPv4 subnets: | ||
+ | Deny 10.1.1.0/24 192.168.56.128/ | ||
+ | |||
+ | # Deny an IPv6 address (google.com): | ||
+ | Deny 2607: | ||
+ | </ | ||
+ | |||
+ | ==== Checking a configuration ==== | ||
+ | |||
+ | The configuration checker uses a small number of options and arguments: | ||
+ | |||
+ | < | ||
+ | $ pam_rhostfilter_check --help | ||
+ | usage: | ||
+ | |||
+ | pam_rhostfilter_check {options> | ||
+ | options: | ||
+ | |||
+ | --help/ | ||
+ | --conf/-c < | ||
+ | of the default (/ | ||
+ | --syntax/ | ||
+ | or addresses necessary | ||
+ | </ | ||
+ | |||
+ | In its simplest mode, a syntax check of a configuration file is effected. Consider the example file in the advanced configuration section above: | ||
+ | |||
+ | < | ||
+ | $ pam_rhostfilter_check --conf=pam_rhostfilter.conf --syntax | ||
+ | ERROR: | ||
+ | </ | ||
+ | |||
+ | The file in question is owned by me, but has mode 0644; no group- or other-user permission are allowed on the file: | ||
+ | |||
+ | < | ||
+ | $ chmod 0600 pam_rhostfilter.conf | ||
+ | |||
+ | $ pam_rhostfilter_check --conf=pam_rhostfilter.conf --syntax | ||
+ | [INFO] Setting default disposition to Allow on line 4 | ||
+ | [INFO] Found Deny rule on line 7: | ||
+ | [INFO] Found Allow rule on line 10: | ||
+ | [INFO] Found Deny rule on line 13: | ||
+ | [INFO] Found Deny rule on line 16: | ||
+ | </ | ||
+ | |||
+ | No errors were found in the configuration file. If I misspell one of the keywords, for example: | ||
+ | |||
+ | < | ||
+ | $ pam_rhostfilter_check --conf=pam_rhostfilter.conf --syntax | ||
+ | [INFO] Setting default disposition to Allow on line 4 | ||
+ | [INFO] Found Deny rule on line 7: | ||
+ | [INFO] Found Allow rule on line 10: | ||
+ | [INFO] Found Deny rule on line 13: | ||
+ | [ERR ] Invalid rule on line 16: Denied 2607: | ||
+ | </ | ||
+ | |||
+ | The checker can also be used to test the set of rules against one or more hostnames, IP addresses, or IP addresses with prefix: | ||
+ | |||
+ | < | ||
+ | $ pam_rhostfilter_check --conf=pam_rhostfilter.conf google.com | ||
+ | [INFO] Setting default disposition to Allow on line 4 | ||
+ | [INFO] Found Deny rule on line 7: | ||
+ | [FAIL] | ||
+ | [INFO] Found Allow rule on line 10: | ||
+ | [ OK ] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [ OK ] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [ OK ] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] Found Deny rule on line 13: | ||
+ | [ OK ] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [ OK ] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] Found Deny rule on line 16: | ||
+ | [ OK ] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | [INFO] | ||
+ | </ | ||
+ | |||
+ | Note that the entire list of rules will be checked: the utility does not exit on the first match, but the first match is easily visible in the output. | ||