All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Peter K. Lee" <saint@corenova.com>
To: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Cc: Stephen Smalley <sds@epoch.ncsc.mil>, SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: sshd transition points
Date: 16 Feb 2005 09:59:17 -0800	[thread overview]
Message-ID: <1108576757.26442.72.camel@snap3401> (raw)
In-Reply-To: <20050216175027.GZ31121@lkcl.net>

Luke, I was wondering why you can't use sshd_config like this:

AllowUsers \
	restricted_user1@192.168.0.223 \
	restricted_user2@192.168.0.224 \
	...

Also, wouldn't using SE/Linux to do per/user/IP ACL, you need an entry
in the policy (file?) for every user?  And the policy can be reloaded
during run-time of the system every time it gets modified?  (sorry, I
have _no_ idea how SE/Linux works yet...)

-Peter



On Wed, 2005-02-16 at 09:50, Luke Kenneth Casson Leighton wrote:
> just fyi: this is an actual real-world deployment of SE/Linux for
> a Bastion Server, where it is necessary to restrict which users
> may sftp in and upload files on the box - and also to restrict
> the users to only one particular directory - _and_ also to restrict
> which IP addresses those users can come in on.
> 
> so it's actually quite an exciting project.
> 
> bearing in mind that it is possible to compromise or just
> absent-mindedly or otherwise in a blaze fashion copy ssh
> private keys (esp. amongst security-unconscious users) it
> becomes necessary to restrict one set of sftp users from being
> able to sftp in to another customer's upload directory.
> 
> yes, the iptables approach works fine - right up to the point
> where you run out of virtual interfaces because of the number
> of different customers that the Bastion Server is supporting.
> 
> l.
> 
> On Wed, Feb 16, 2005 at 03:26:45PM +0000, Luke Kenneth Casson Leighton wrote:
> > stephen, i believe i have enough to go on, now: thank you for your
> > help, even if it's not entirely clear what i want to achieve here :)
> > 
> > i aim to add a setcon() into sshd's "input_userauth_request()"
> > function just after the point where the username is obtained,
> > such that any unauthorised IP addresses for that username will
> > immediately stop any further TCP traffic.
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  reply	other threads:[~2005-02-16 19:44 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-15 15:53 sshd transition points Luke Kenneth Casson Leighton
2005-02-15 16:22 ` Adding libseuser functionality to libselinux? Daniel J Walsh
2005-02-15 16:20   ` Stephen Smalley
2005-02-15 16:49     ` Daniel J Walsh
2005-02-15 18:14 ` sshd transition points Stephen Smalley
2005-02-15 19:16   ` Luke Kenneth Casson Leighton
2005-02-15 19:22     ` Stephen Smalley
2005-02-15 20:03       ` Luke Kenneth Casson Leighton
2005-02-15 20:57         ` Luke Kenneth Casson Leighton
2005-02-16 13:02           ` Stephen Smalley
2005-02-16 13:51             ` Luke Kenneth Casson Leighton
2005-02-16 13:41               ` Stephen Smalley
2005-02-16 14:30                 ` Luke Kenneth Casson Leighton
2005-02-15 22:53         ` Luke Kenneth Casson Leighton
2005-02-15 23:17           ` Luke Kenneth Casson Leighton
2005-02-15 23:51             ` [patch] dynamic auto trans Luke Kenneth Casson Leighton
2005-02-16  0:04             ` sshd transition points Luke Kenneth Casson Leighton
2005-02-16 13:10               ` Stephen Smalley
2005-02-16 13:44                 ` Luke Kenneth Casson Leighton
2005-02-16 13:39                   ` Stephen Smalley
2005-02-16 15:11                     ` Luke Kenneth Casson Leighton
2005-02-16 15:26                   ` Luke Kenneth Casson Leighton
2005-02-16 17:50                     ` Luke Kenneth Casson Leighton
2005-02-16 17:59                       ` Peter K. Lee [this message]
2005-02-17 21:44                         ` Luke Kenneth Casson Leighton
2005-02-17 22:31                         ` Luke Kenneth Casson Leighton
2005-02-16 17:53                     ` Stephen Smalley
2005-02-16 18:31                       ` Luke Kenneth Casson Leighton
2005-02-16 13:08           ` Stephen Smalley
2005-02-16 13:45             ` Luke Kenneth Casson Leighton
2005-02-16 13:00         ` Stephen Smalley
2005-02-16 13:58           ` Luke Kenneth Casson Leighton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1108576757.26442.72.camel@snap3401 \
    --to=saint@corenova.com \
    --cc=lkcl@lkcl.net \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.