4

With Denyhosts, how can I "whitelist" a known good user by username plus the fact that they have a valid RSA keypair (or in combination with some other known fact about the user such as MAC address)?

Some background:

On a Ubuntu server, denyhosts is blocking some SSH users (but not all) from logging in. The users are all configured exactly the same -- even using the same Linux user account. Every user has an RSA key pair and logs in via keypair only. No password based SSH logins are allowed. (These are automated SSH logins to an update server.)

If I add the problematic users's IP addresses to Denyhost's hosts.allow file (and remove the address from any restricted/deny files), the user can login just like the other users. But none of these users have static IP addresses, so this isn't a solution.

Given the fact that these users have a valid RSA key and they have a Linux user account, is there a way I can make denyhosts stop blocking them (without weaking its proper functioning, especially for all the would-be attackers who try to log in with invalid passwords)?

Update:
I have PasswordAuthentication no and AllowUsers foo@* in /etc/ssh/sshd_config along with the other relevant settings so that my users can only log in with RSAAuthentication.

Of course, I could always stop using Denyhosts. But my question is how can I make Denyhosts work the way I intend so I don't have to stop using it.

Improve this question

2 Answers 2

Reset to default
4

Stop using hosts.allow / hosts.deny entirely and reconfigure sshd to prohibit logins using a password.

Users can only get in via keys now.

Improve this answer
3
  • I already have PasswordAuthentication no in /etc/ssh/sshd_config. But Denyhosts has some features I like. I don't want to stop using it. Commented Feb 21, 2014 at 23:24
  • @MountainX Denyhosts blocks connections before the user is identified. Catch-22. Commented Feb 21, 2014 at 23:56
  • @Gilles - so the only solution to my problem is to stop using Denyhosts? That's too bad... Commented Feb 22, 2014 at 0:03
1 
none of these users have static IP addresses

Ok, then you can not use host based authentication .

Possible solution:

Use AllowUsers in the /etc/ssh/sshd_config

for example

AllowUsers foo@, bar@

or even better

AllowUsers [email protected].*, [email protected].*, baz@111.*

the same for DenyUsers

DenyUsers foo@badhost, [email protected].*, [email protected].*

These allow to configure access for any type of requirement.

Improve this answer
7
  • I already have this and it hasn't solved the problem. I have AllowUsers foo@* Even so, foo is sometimes added to the restricted lists by Denyhosts. Commented Feb 21, 2014 at 23:21
  • But if you have this, then your problematic user (who is obviously not in the set of AllowUsers) can't log in. Commented Feb 21, 2014 at 23:26
  • The problematic user is foo and foo is in the AllowUsers list. Yet Denyhosts will block foo from some IP addresses. From other IP addresses, foo can log in (via keypair) as expected. Commented Feb 21, 2014 at 23:32
  • It is not easy to understand, because you say that none of these users has a static IP. but you dont want to allow users from a specific IP. So why not use DenyUsers? I edited my post for this option. Commented Feb 22, 2014 at 1:32
  • I'm sorry my question is confusing you. @Gilles gave a clear reply. AllowUsers and DenyUsers in sshd_config are not going to help me at all. Furthermore, I am not trying to block a user from a specific IP. I am trying to allow a user from any IP. But Denyhosts gets in the way of that. You are not understanding my question. But thanks for trying to answer. :-) Commented Feb 22, 2014 at 1:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.