My boss is concerned about unauthorized logins and tracking what servers the staff is connecting to. He has come up with this method that he wants me to try and implement. I don't want someone to do this for me, but I want to share the proposed method and see what may be available out there to do this.
The concept is simple... We would set up a "login server". All users would be connecting to an Ubuntu LINUX server, let's call it "central". The server has had oathtool installed to allow for two factor authentication, and we have the feature working. I enter login name "sample" and it prompts for the six digit code from Google Authenticator. Next it prompts for the personal password. If both are successful, user is allowed into the system.
Now here is where it gets a bit strange. From this central authentication PC, the company wants our users to then have to SSH to various other servers on our network. Example being you may have to "ssh dvlp_server" to do stuff in development, or jump on a customer server using "ssh acme-corp". But what they do NOT want is that any users be allowed to go straight to that destination server without first authorizing through the central login server. In other words, I can open a putty session and ssh to central as "steve@central" and then ssh to dvlp-server from there, but I should never be allowed to use putty and go straight to "steve@dvlp-server".
Is that even possible to prevent? Is there some sort of /etc/hosts.allow file that forces the SSH sessions to ONLY connect if they originated from a particular server or IP address?
The only way I am aware of at this time would be to add logic to the /etc/profile so that after you log in, it validates your hostname or IP (using who -m field) and kicks you back out if the name is not "central" or the IP is not "xxx.xxx.yyy.zzz". But that means I am only catching the login AFTER they've already logged on and then forcing them out. The intention was to not accept logins from that non-central server in the first place!
If anyone can point me in the right direction in terms of commands, links to better authentication methods, etc. I could really use that. I'm not sure that what my boss wants me to implement is really the best approach to this. At this time, we are not considering Active Directory or LDAP servers but maybe we should? We already have been using RSA SecurID 2FA on some of our servers. But I think they want an open-source solution.
Thanks in advance for any ideas on better approaches.
Steve
It looks like the solution to this issue may be related to making changes to the sshd_config file.
There is a section in there for "Match" options that I was not aware of. We can force SSH to only accept traffic if the connection is from a specific IP address (or possibly a hostname), or if the username is in a list of authorized (matching) names. You can even make a combo of it... UserA can only connect if coming from 192.168.77.251, for example.
More information was found here: Restrict Certain users or groups in SSH