I thought about running different sshd daemons but that doesn't really help in my situation. User IP's can vary wildly but I can restrict access *to* the box using radius based on username. Problem is once that user connects, I need to restrict his outbound access based on an IP policy, which is currently being filtered outside of the server on a Cisco ASA firewall (currently expecting to see the IP address of whichever server the user is connected to).
-----Original Message----- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Chris Cappuccio Sent: Tuesday, September 09, 2014 10:28 AM To: Nagle, Edwin (James) Cc: tech@openbsd.org Subject: Re: SSH Sourcing Nagle, Edwin (James) [edwin.na...@austinenergy.com] wrote: > Good morning, > > My problem is, I am separating users based on interface IP and radius, and > therefore need to force their outbound SSH sessions to bind to the IP address > of the interface they came in on (or at least a different IP) so I can create > firewall rules to restrict outbound access. However, all outbound SSH > sessions are sourced through the default (bnx0) interface and therefore > hamper my ability to effectively firewall the outbound SSH requests since the > user could be in one of three firewall groups. I may be just thinking too > hard about this but it seems to me there should be (and likely is) a simple > way to bind the outgoing connection from the source address. > > Any ideas, or should I just create three virtual machines and be done with it? > > Again, thanks in advance for any guidance! > If each user ID is correlated with a separate IP, you could run different sshd each which only allows certain users to log in, and then use pf to restrict each user in certain ways.
