abstract:darwin:security:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

abstract:darwin:security:ssh [2021-09-13 11:27] – created pdwabstract:darwin:security:ssh [2021-09-13 13:25] (current) pdw
Line 1: Line 1:
 +====== SSH ======
 +
 +===== PAM rhostfilter =====
 +
 +Some of our users desired a way by which they could exercise some self-service control over SSH connections made to their accounts on servers. With fixed IP addresses from which they would be connecting, a simple allow/deny by address or subnet was desirable.
 +
 +Thus, a [[https://github.com/jtfrey/pam_rhostfilter|PAM module]] that implements an account check that validates the remote host against a user-definable configuration file was created.
 +
 +==== Configuration file ====
 +
 +By default, the plugin looks for a file named ''.pam_rhostfilter.conf'' in the user's home directory. The file must be:
 +
 +  - Owned by the user
 +  - Have no read, write, or execute permissions to group or other users
 +
 +The same mandates exist for many of the ssh configuration files.
 +
 +=== Comments ===
 +
 +The file may contain comments, delimited by a hash (#) character. All characters from the hash to the end o the line are discarded by the parser.
 +
 +=== Whitespace ===
 +
 +Whitespace is not significant in the file.
 +
 +=== Rules ===
 +
 +There are three rule types accepted.
 +
 +== Default ==
 +
 +The ''Default <disposition>'' rule determines what the plugin should return if no rules match the remote host's IP address. By default, connections are allowed — this can be made explicit:
 +
 +<code>
 +#
 +# rhostfilter config file
 +
 +Default Allow
 +</code>
 +
 +The only other acceptable default disposition is ''Deny''.
 +
 +== Deny ==
 +
 +Access to specific hosts (by name or IP address) or entire subnets (by IP address and prefix) can be prohibited using a ''Deny'' rule. Each rule consists of the ''Deny'' keyword followed by one or more hostnames, IP addresses, or IP address and prefix. By default, the plugin is built with IPv6 support so both IPv4 and IPv6 addresses are accepted.
 +
 +<code>
 +#
 +# rhostfilter config file
 +#
 +Default Allow
 +
 +# Deny a hostname -- effectively all A/AAAA addresses for that name in DNS:
 +Deny badhost.hacker.org
 +
 +# Deny two IPv4 subnets:
 +Deny 10.1.1.0/24 192.168.56.128/25
 +
 +# Deny an IPv6 address (google.com):
 +Deny 2607:f8b0:4006:81a::200e
 +</code>
 +
 +== Allow ==
 +
 +When the default is set to ''Deny'', exceptions take the form of an ''Allow'' rule. Each rule consists of the ''Allow'' keyword followed by one or more hostnames, IP addresses, or IP address and prefix (the same format as ''Deny'' rules).
 +
 +=== Advanced configurations ===
 +
 +The ''Default'' rule can be used multiple times but only its final occurrence is significant. The default disposition is ''Allow'' as an attempt to protect users from accidentally locking themselves out of their account. **Be very careful when authoring a configuration with a default disposition of deny; be sure to test prior to closing your connection to the remote system!** (Testing configuration files is covered in a later section of this document.)
 +
 +Since the rules are processed in sequence and processing ends on the first match, rule ordering can be important. With a default disposition of ''Allow'', any ''Allow'' rule functions as an early exit point. Protecting a specific host/subnet from a later ''Deny'' rule that would match it, for example:
 +
 +<code>
 +
 +#
 +# rhostfilter config file
 +#
 +Default Allow
 +
 +#Deny a hostname -- effectively all A/AAAA addresses for that name in DNS:
 +Deny badhost.hacker.org
 +
 +# A couple exceptions to the Deny rule that follows:
 +Allow 10.1.1.5 10.1.1.200 192.168.56.192
 +
 +# Deny two IPv4 subnets:
 +Deny 10.1.1.0/24 192.168.56.128/25
 +
 +# Deny an IPv6 address (google.com):
 +Deny 2607:f8b0:4006:81a::200e
 +</code>
 +
 +==== Checking a configuration ====
 +
 +The configuration checker uses a small number of options and arguments:
 +
 +<code>
 +$ pam_rhostfilter_check --help 
 +usage:
 +
 +    pam_rhostfilter_check {options> <hostname|ip-address> {<hostname|ip-address> ..}
 +  options:
 +
 +    --help/-h                      show this information
 +    --conf/-c <filename>           use this configuration file instead
 +                                   of the default (/home/1001/.pam_rhostfilter.conf)
 +    --syntax/-s                    check file syntax only, no hostnames
 +                                   or addresses necessary
 +</code>
 +
 +In its simplest mode, a syntax check of a configuration file is effected. Consider the example file in the advanced configuration section above:
 +
 +<code>
 +$ pam_rhostfilter_check --conf=pam_rhostfilter.conf --syntax
 +ERROR:  configuration file not acceptable: pam_rhostfilter.conf (errno = 1)
 +</code>
 +
 +The file in question is owned by me, but has mode 0644; no group- or other-user permission are allowed on the file:
 +
 +<code>
 +$ chmod 0600 pam_rhostfilter.conf
 +
 +$ pam_rhostfilter_check --conf=pam_rhostfilter.conf --syntax
 +[INFO] Setting default disposition to Allow on line 4
 +[INFO] Found Deny rule on line 7:
 +[INFO] Found Allow rule on line 10:
 +[INFO] Found Deny rule on line 13:
 +[INFO] Found Deny rule on line 16:
 +</code>
 +
 +No errors were found in the configuration file. If I misspell one of the keywords, for example:
 +
 +<code>
 +$ pam_rhostfilter_check --conf=pam_rhostfilter.conf --syntax
 +[INFO] Setting default disposition to Allow on line 4
 +[INFO] Found Deny rule on line 7:
 +[INFO] Found Allow rule on line 10:
 +[INFO] Found Deny rule on line 13:
 +[ERR ] Invalid rule on line 16: Denied 2607:f8b0:4006:81a::200e
 +</code>
 +
 +The checker can also be used to test the set of rules against one or more hostnames, IP addresses, or IP addresses with prefix:
 +
 +<code>
 +$ pam_rhostfilter_check --conf=pam_rhostfilter.conf google.com
 +[INFO] Setting default disposition to Allow on line 4
 +[INFO] Found Deny rule on line 7:
 +[FAIL]     badhost.hacker.org (unable to resolve)
 +[INFO] Found Allow rule on line 10:
 +[ OK ]     10.1.1.5         prefix length = -1
 +[INFO]        0   172.217.9.238
 +[INFO]            0   10.1.1.5
 +[INFO]        1   2607:f8b0:4006:081a:0000:0000:0000:200e
 +[ OK ]     10.1.1.200         prefix length = -1
 +[INFO]        0   172.217.9.238
 +[INFO]            0   10.1.1.200
 +[INFO]        1   2607:f8b0:4006:081a:0000:0000:0000:200e
 +[ OK ]     192.168.56.192         prefix length = -1
 +[INFO]        0   172.217.9.238
 +[INFO]            0   192.168.56.192
 +[INFO]        1   2607:f8b0:4006:081a:0000:0000:0000:200e
 +[INFO] Found Deny rule on line 13:
 +[ OK ]     10.1.1.0         prefix length = 24
 +[INFO]            IPv6 mask: 0xffffff00000000000000000000000000
 +[INFO]            IPv4 mask: 0xffffff00
 +[INFO]        0   172.217.9.0
 +[INFO]            0   10.1.1.0
 +[INFO]        1   2607:f800:0000:0000:0000:0000:0000:0000
 +[ OK ]     192.168.56.128         prefix length = 25
 +[INFO]            IPv6 mask: 0xffffff80000000000000000000000000
 +[INFO]            IPv4 mask: 0xffffff80
 +[INFO]        0   172.217.9.128
 +[INFO]            0   192.168.56.128
 +[INFO]        1   2607:f880:0000:0000:0000:0000:0000:0000
 +[INFO] Found Deny rule on line 16:
 +[ OK ]     2607:f8b0:4006:81a::200e         prefix length = -1
 +[INFO]        0   172.217.9.238
 +[INFO]        1   2607:f8b0:4006:081a:0000:0000:0000:200e
 +[INFO]            0   2607:f8b0:4006:081a:0000:0000:0000:200e
 +[INFO]                IPv6 MATCH!
 +</code>
 +
 +Note that the entire list of rules will be checked: the utility does not exit on the first match, but the first match is easily visible in the output.