Friday, November 23, 2007

OpenSSH and 'Matching' Rules

Most of the time on the servers I maintain, there's a strict set of options in the /etc/ssh/sshd_config file -- after all, things like X11Forwarding yes or any of the Plain-text challenge options should really be tightly controlled on operational servers.

Occassionally though, there's a reason to relax these permissions, but rather than doing this globally, OpenSSH has the ability to do this on a per user, group or connecting IP address basis.

A box that I look after has MaxAuthTries set to 1 and LoginGraceTime set to 30 in order to slow down brute-force password guessing attacks (something I highly recommend for boxes in the field, by the way) -- but the owner of the box is a little heavy on the keys sometimes and ends up having to try two or three times to get their password right.

Let's say our users name is Tom and he connects from

Simple solution -- First, open your /etc/ssh/sshd_config (or possibly /etc/sshd/sshd_config if you're using a Fedora/RHEL/SuSE box) file and add:

Match User tom Address
MaxAuthTries 5
LoginGraceTime 120

So, while normal users get 30 seconds and 1 try to enter their password -- the owner of the box gets 5 tries and 2 minutes before he's disconnected.

note: When using Match rules, the User (and/or Address) keywords are case-sensitive, at least on Ubuntu 6.06 and RHEL 4.

note ii: When specifying multiple Match rules on the line above (such as User and Address) the expression is treated as a logical AND -- so all the parts must match before the block is invoked.