Re: Question restricting ssh access for some users only

From: Mark Ogden (ogden_at_eng.utah.edu)
Date: 10/07/04

  • Next message: Vlad GALU: "Re: Question restricting ssh access for some users only" 
    Date: Thu, 7 Oct 2004 12:06:30 -0600
To: Volker Kindermann <ml@ps102.de>

    Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote:
    > Hi Jim,
    >
    >
    > > I've used ssh as a secure telnet up to now but done little else with
    > > it. The FreeBSD machines I look after on our internet-facing network
    > > all have one account which I connect to for administration. I've set
    > > up /etc/hosts.allow on all the machines to only allow ssh from a
    > > limited internal network range.
    > >
    > > Now I want to create a new account on one machine which will be
    > > accessible from the Internet as a whole, to be used for tunnelling of
    > > SMTP and POP3. I can't predict what the client IP address will be so I
    > > will have to remove the hosts.allow restriction.
    >
    > have you considered the "AllowGroups" and "AllowUsers" directives of
    > sshd_config? They should provide exact the functionality that you want.

    But what if you have 1000 users? From my understanding you would have
    to add all users to the AllowUsers list.

    -Mark
    >
    > -volker
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Vlad GALU: "Re: Question restricting ssh access for some users only"

    Relevant Pages

    • Re: Passing password in ssh
      ... If I create keys without a passphrase, and share the public keys between ... You do know that you first have to get the private key of the key ... The .ssh directory also ... But simply cracking into a user's account who has access to several ...
      (Fedora)
    • Re: Problems with Sudo
      ... where only one unprivileged account is allowed to log in. ... you're gaining nothing at all by running two ssh daemons ... Using odd port numbers isn't very useful either, ... I have SSH exposed to the world with key-only login and an iptables ...
      (Ubuntu)
    • Re: ssh and subsequent telnet, encrypted?
      ... >> account of mine only to launch telnet to a newsserver from ... is that telnet session (since it is embedded in the ssh ... the traffic between my shell account and the newsserver is ...
      (comp.security.ssh)
    • RE: Illegal user ssh probes
      ... the attacked account names. ... Subject: Illegal user ssh probes ... On linux the admin account could possibly lead to access on the box. ...
      (SSH)
    • Re: .k5login and non-kerberized ssh client
      ... For example,a website owned by 'wsowner' needs to be ... SSH and SFTP clients. ... access the 'wsowner' account directly. ... So far as I know, other krb5 PAM modules do not support this, which is one ...
      (comp.protocols.kerberos)