Page 1 of 1
sshd
Posted:
Wed Aug 06, 2003 5:16 pmby axehind
Hello all,
I need to allow users to connect to my box via sshd but not allow them to connect out. What should my acl look like to accomplish this? I'm using grsecurity2, openSSH with ldap authentication using PAM.
Thanks
Posted:
Thu Aug 07, 2003 8:05 amby spender
If all your users are in a "users" group, just make a role for the group, and in the default subject for it, add:
connect disabled
You'll then need to add IP ACLs for whatever subjects need connect so that the users can log in (sshd for instance).
-Brad
Posted:
Thu Aug 07, 2003 9:05 amby axehind
Each user has different access. Right now when I try to log in I get this error which I dont understand. It happens even when I give sshd full access to /
Aug 7 12:53:28 ssh2 kernel: grsec: From 10.1.1.201: denied connect to the unix domain socket /dev/log by (sshd:31316) uid/euid:5558/5558 gid/egid:15000/15000, parent (sshd:2100) uid/euid:0/0 gid/egid:0/0
Posted:
Thu Aug 07, 2003 9:07 amby spender
do you have any roles set up? Take note of the uid and gid of the sshd process in your log and see if you have roles set up for either of them. If you do, you need to add /dev/log rw to the sshd subject in that role.
-Brad
Posted:
Thu Aug 07, 2003 9:22 amby axehind
I dont understand what you mean by that. Yes the user exists on the system and there is a acl for them. You mean a nested subject or something like that?
Posted:
Thu Aug 07, 2003 10:23 amby spender
I mean, do you have a line like:
role someuser u
in your /etc/grsec/acl file, where "someuser" is the user on your system with a uid of 5558. If you do, you need to give /dev/log rw access to an sshd subject in that role.
-Brad