How to Limit SSH Access




Created by Pete Nesbitt  pete@linux1.ca
October 27, 2003

This document is intended to be a guide for creating a secure method to access 
system from a specific remote host. The intent is to allow access without 
opening the system up to everyone everywhere.

The idea is to set the host up to allow access from a specific remote system. 
This can be used, for example, to acess your home system from work.

Overview:
We will use IPtables to control the source of the ssh request, this is typically 
on the edge of your network but could run on the host itself. Then we use 
TCPwrappers as a second level check. If you think this sounds a bit redundent, 
your right! Then we restict which accounts can access ssh by implimenting PAM 
access rules. Finally we make a few changes to the default sshd configuration to 
force a key based authentication, which links to the remote host for the key and 
the specified user who has the pass phrase for the key.


The Details:
Note: You may want to do the key generation (last step) early so you can easily 
scp it without restrictions in place, although this set up would allow a 
seamless 'reverse scp' anyway.

------------------
-IPtables Firewall:
Although there are many ways to set up firewall rules, the best approach is 
'everything is denied except that which is explicitly allowed'. This method errs 
on the side of caution as there are always typoes and other little issues to fix.
If you need help seting up IPTables you may want to start at the projects home:
http://www.netfilter.org

The basic firewall rules for ssh should resemble:

  Prerouting Chain:
     $IPTABLES -A PREROUTING -t nat -p tcp -i $EXT_IF \
        --dport 22 -j DNAT --to-destination $SSH_TARGET 

  Forward Chain:
     $IPTABLES -A FORWARD -i $EXT_IF -p tcp --dport 22 -j SSH_CHAIN

  SSH Chain: (note "123.123.123.0/24" is the remote ssh clients host or network)
     $IPTABLES -A SSH_CHAIN -p tcp -m state --state NEW -i $EXT_IF \
        --dport 22 -j LOG --log-prefix "NetF SSH Login: "
     $IPTABLES -A SSH_CHAIN -p tcp -i $EXT_IF -s 123.123.123.0/24 \
         -d $MY_WORKSTATION --dport 22 -j ACCEPT
     $IPTABLES -A SSH_CHAIN -j RETURN



----------------------------
-TCPwrappers Acceess Control:
Set your hosts.allow and hosts.deny as follows (add other services as required).
Note, do not allow ssh inbound from the firewall/gateway ip (.1) as this 
should never be the case.

 /etc/host.allow
   ALL: 127.0.0.1
   ALL: 192.168.0. EXCEPT 192.168.0.1
   sshd: 123.123.123. EXCEPT UNKNOWN # (ssh clients host or network)
     # note "UNKNOWN" forces reverse DNS lookup and may help prevent spoofing.

 /etc/hosts.deny
   ALL: ALL



-------------------
-PAM access control:
Here we use PAM to restrict access to sshd to a specific target user. By seting 
this to a cryptic user id helps prevent id & password guessing. Once authenticated 
the user can su to her regular id.

edit /etc/pam.d/sshd (it's always best to make a copy of the original first)
 add the line:
 account  required  /lib/security/pam_access.so accessfile=/etc/security/access.conf_ssh


touch /etc/security/access.conf_ssh
  (or copy /etc/security/access.conf to include comments)

edit /etc/security/access.conf_ssh adding the following:
    +:ALL:192.168.0. mymachine.mylan.com .localdomain
    +:some_criptic_user:.myremotesite.com
    -:ALL:ALL

(note that although we allow access for all users on the local lan, the next 
section would require that keys are in place on those systems.)



------------------
-SSHD Restrictions:
make the following changes to /etc/ssh/sshd.conf to disllow root user access and 
to disallow password or athentication, forcing key based. (You will see similar 
lines that are commented out which display the defaults.)

PermitRootLogin no
PasswordAuthentication no
PAMAuthenticationViaKbdInt no

Note: you will need to reload/restart the sshd daemon for changes to take place.
      You can use "service sshd reload", "/etc./init.d/sshd reload" or 
      "killall -HUP sshd" depending on your system or personal preference.



-----------------------------
-Generate Authentication Keys:
As the user you want to log in as, but on the remote system (same user), run the 
following:
'ssh-keygen -t dsa' and enter a decent pass-phrase when requested.

This will leave 2 keys in the users .ssh directory named something like 'id_dsa' 
and 'id_dsa.pub'. Transfer the 'id_dsa.pub' file (via scp, sftp, floppy etc but 
NOT ftp!) to the sshd host. If the users .ssh dir has a file named "authorized_keys" 
then append the key to that file, otherwise, create the file and copy the key into it.



You know have a ssh daemon that only allow access from a specific user on a specific 
remote network via key based authentication combined with a pass-phrase. The only 
real downside is that you need to create keys for any local systems that require 
ssh access to this host.