Re: Question restricting ssh access for some users only
From: Mark Johnston (mjohnston_at_skyweb.ca)
To: Mark Skurzynski <firstname.lastname@example.org>, email@example.com Date: Thu, 7 Oct 2004 14:10:31 -0500
Mark Ogden <firstname.lastname@example.org> wrote:
> Mark Skurzynski on Thu, Oct 07, 2004 at 02:50:49PM -0400 wrote:
> > I normally don't reply here however the simple solution is to run a 2nd
> > instance of sshd on any random port you choose, ie. "sshd -f
> > /etc/ssh/sshd_config_private" or whatever you choose. You could then
> > easily firewall that port and only allow specific IP's to connnect.
> Yes, that was our second idea. But we feel theres got to be a better
Seems appropriate that a third Mark should chip in here: there is. You can
use ~/.ssh/authorized_keys to add restrictions, one of which is "from":
Specifies that in addition to public key authentication, the
canonical name of the remote host must be present in the comma-
separated list of patterns (`*' and `'? serve as wildcards).
The list may also contain patterns negated by prefixing them with
`'!; if the canonical host name matches a negated pattern, the
key is not accepted. The purpose of this option is to optionally
increase security: public key authentication by itself does not
trust the network or name servers or anything (but the key); how-
ever, if somebody somehow steals the key, the key permits an
intruder to log in from anywhere in the world. This additional
option makes using a stolen key more difficult (name servers
and/or routers would have to be compromised in addition to just
Apply that to the only key you allow to log in for root, and then set
PermitRootLogin to "without-password", heeding the warning in sshd_config(5)
I would still encourage you to look at Per Engelbrecht's sudo suggestion; you
will very likely want the logging that it provides. However, you should be
able to do exactly what you want with this.
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"