[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sshd transition points

To: Stephen Smalley <sds@xxxxxxxxxxxxxx>, SE-Linux <selinux@xxxxxxxxxxxxx>
Subject: Re: sshd transition points
From: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Date: Wed, 16 Feb 2005 17:50:27 +0000
In-reply-to: <20050216152644.GU31121@xxxxxxxx>
Mail-followup-to: Stephen Smalley <sds@xxxxxxxxxxxxxx>, SE-Linux <selinux@xxxxxxxxxxxxx>
References: <1108491293.17854.153.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050215191640.GA26294@xxxxxxxx> <1108495342.17854.200.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050215200355.GB26294@xxxxxxxx> <20050215225329.GH26294@xxxxxxxx> <20050215231707.GC29523@xxxxxxxx> <20050216000437.GD30341@xxxxxxxx> <1108559425.19756.54.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050216134457.GL31121@xxxxxxxx> <20050216152644.GU31121@xxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: Mutt/1.5.5.1+cvs20040105i

just fyi: this is an actual real-world deployment of SE/Linux for
a Bastion Server, where it is necessary to restrict which users
may sftp in and upload files on the box - and also to restrict
the users to only one particular directory - _and_ also to restrict
which IP addresses those users can come in on.

so it's actually quite an exciting project.

bearing in mind that it is possible to compromise or just
absent-mindedly or otherwise in a blaze fashion copy ssh
private keys (esp. amongst security-unconscious users) it
becomes necessary to restrict one set of sftp users from being
able to sftp in to another customer's upload directory.

yes, the iptables approach works fine - right up to the point
where you run out of virtual interfaces because of the number
of different customers that the Bastion Server is supporting.

l.

On Wed, Feb 16, 2005 at 03:26:45PM +0000, Luke Kenneth Casson Leighton wrote:
> stephen, i believe i have enough to go on, now: thank you for your
> help, even if it's not entirely clear what i want to achieve here :)
> 
> i aim to add a setcon() into sshd's "input_userauth_request()"
> function just after the point where the username is obtained,
> such that any unauthorised IP addresses for that username will
> immediately stop any further TCP traffic.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: sshd transition points
  - From: Peter K. Lee

References:
- Re: sshd transition points
  - From: Stephen Smalley
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Stephen Smalley
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Stephen Smalley
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton
- Re: sshd transition points
  - From: Luke Kenneth Casson Leighton

Prev by Date: Re: sshd transition points
Next by Date: Re: sshd transition points
Previous by thread: Re: sshd transition points
Next by thread: Re: sshd transition points
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.