login about faq

I have a rule in place that goes like this; (Leading less-than's ommited)

 <!-- Rule for Foos -->
 <rule group="foo" idle-timeout="0">
   <terminal action="deny" />
   <subsystem type="sftp" application="sftp-server-g3" action="allow" />
   <command action="allow" />
   <tunnel-agent action="deny" />
       <tunnel-x11 action="deny" />
   <tunnel-local action="allow" >
      <dst fqdn="server1" port="80" />
      <dst fqdn="server1.domain.com" port="80" />
      <dst address="10.0.5.1" port="80" />
      <dst fqdn="localhost" port="80" />
   </tunnel-local>
   <tunnel-remote action="deny" />
 </rule>


This is a Linux RHEL5 machine that has been added to a Windows domain and authenticates, via winbind, to the domain AD.
I have added the group and it's windows GID to /etc/group and I have confirmed the account I am using to achieve connection with has 'foo' set as the primary group for the test user.
My understanding is that according to the rule I have in place said user should only be allowed to access port 80 on server1.
Yet when I ssh in with the following tunnel;

#ssh -L8083:machine2:80 testuser@sshg3.domain.com


I am in fact able to load pages from machine2's web server.

I have tried replacing the group name foo in the above rule with it's GID instead, 'reloaded' the server via;

#/etc/init.d/ssh-server-g3 reload , but the access continues.


Any ideas on how I can secure this port access? Is my use of the 'rule group="foo"' accurate? Can a GID be used instead (as I said, I've done this already) and should that work?

Any help in understanding this will be greatly appreciated.

asked Aug 20 '10 at 02:19

David's gravatar image

David
11112

edited Aug 20 '10 at 05:53

Roman's gravatar image

Roman ♦♦
7735817


Hi David,

The group attribute in the rule does not match directly to operating system groups, they match groups defined in the server configuration. Also, in order for this rule to take effect there needs to be a selector that places an incoming user into this rule.

For example, in order for your rule to apply to users from group foo, you would need something like this:

<!-- Place users from OS group foo into group only-tunnels -->
<group name="only-tunnels">
  <selector>
    <user-group name="foo" />
  </selector>
</group>

<!-- Rule for only-tunnels group -->
<rule group="only-tunnels" idle-timeout="0">
  <terminal action="deny" />
  <subsystem type="sftp" application="sftp-server-g3" action="allow" />
  <command action="allow" />
  <tunnel-agent action="deny" />
  <tunnel-x11 action="deny" />
  <tunnel-local action="allow" >
     <dst fqdn="server1" port="80" />
     <dst fqdn="server1.domain.com" port="80" />
     <dst address="10.0.5.1" port="80" />
     <dst fqdn="localhost" port="80" />
  </tunnel-local>
  <tunnel-remote action="deny" />
</rule>

<!-- default rule -->
<rule idle-timeout="300">
...
</rule>

These need to be before the default rule (the one that does not define a group), since the first one to match will be used.

The user-group selector can match against both a group name or GID. Wildcards are also allowed.

For a more complete description of all the selectors that can be used within a group, see here: http://productdocs.ssh.com/support/documentation/online/ssh/adminguide/61/serverconfig-selectors.html

link

answered Aug 20 '10 at 13:27

Roman's gravatar image

Roman ♦♦
7735817

Thank you Roman! That is exactly what I was looking for and appears to be working perfectly! Thanks for the quick reply!

(Aug 20 '10 at 22:55) David David's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×63
×7
×3
×2

Asked: Aug 20 '10 at 02:19

Seen: 3,930 times

Last updated: Aug 20 '10 at 13:27

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.