2

With Denyhosts, how can I "whitelist" a known good user by username plus the fact that they have a valid RSA keypair (or in combination with some other known fact about the user such as MAC address)?

Some background:

On a Ubuntu server, denyhosts is blocking some SSH users (but not all) from logging in. The users are all configured exactly the same -- even using the same Linux user account. Every user has an RSA key pair and logs in via keypair only. No password based SSH logins are allowed. (These are automated SSH logins to an update server.)

If I add the problematic users's IP addresses to Denyhost's hosts.allow file (and remove the address from any restricted/deny files), the user can login just like the other users. But none of these users have static IP addresses, so this isn't a solution.

Given the fact that these users have a valid RSA key and they have a Linux user account, is there a way I can make denyhosts stop blocking them (without weaking its proper functioning, especially for all the would-be attackers who try to log in with invalid passwords)?

Update:
I have PasswordAuthentication no and AllowUsers foo@* in /etc/ssh/sshd_config along with the other relevant settings so that my users can only log in with RSAAuthentication.

Of course, I could always stop using Denyhosts. But my question is how can I make Denyhosts work the way I intend so I don't have to stop using it.

MountainX
  • 17,168
  • 59
  • 155
  • 264

2 Answers2

3

Stop using hosts.allow / hosts.deny entirely and reconfigure sshd to prohibit logins using a password.

Users can only get in via keys now.

yoonix
  • 1,151
  • 10
  • 10
0
none of these users have static IP addresses

Ok, then you can not use host based authentication .

Possible solution:

Use AllowUsers in the /etc/ssh/sshd_config

for example

AllowUsers foo@, bar@

or even better

AllowUsers [email protected].*, [email protected].*, baz@111.*

the same for DenyUsers

DenyUsers foo@badhost, [email protected].*, [email protected].*

These allow to configure access for any type of requirement.

  • I already have this and it hasn't solved the problem. I have AllowUsers foo@* Even so, foo is sometimes added to the restricted lists by Denyhosts. – MountainX Feb 21 '14 at 23:21
  • But if you have this, then your problematic user (who is obviously not in the set of AllowUsers) can't log in. –  Feb 21 '14 at 23:26
  • The problematic user is foo and foo is in the AllowUsers list. Yet Denyhosts will block foo from some IP addresses. From other IP addresses, foo can log in (via keypair) as expected. – MountainX Feb 21 '14 at 23:32
  • It is not easy to understand, because you say that none of these users has a static IP. but you dont want to allow users from a specific IP. So why not use DenyUsers? I edited my post for this option. –  Feb 22 '14 at 01:32
  • I'm sorry my question is confusing you. @Gilles gave a clear reply. `AllowUsers` and `DenyUsers` in sshd_config are not going to help me at all. Furthermore, I am not trying to block a user from a specific IP. I am trying to allow a user from any IP. But Denyhosts gets in the way of that. You are not understanding my question. But thanks for trying to answer. :-) – MountainX Feb 22 '14 at 01:51
  • I also agree to Gilles's comment because hosts.{allow,deny} is a host based authentication and you want to identify users. yoonix also suggested not to use hosts.{allow,deny}. But you're right, I give up. it is surely too complex for me. :-) –  Feb 22 '14 at 02:02
  • it's probably just my poorly worded question. I'm sure it isn't too complex for you. ;-) – MountainX Feb 22 '14 at 02:46