Re: sshd_config access keywords question.
- From: Benjamin Donnachie <benjamin@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 14 Oct 2006 14:58:30 +0100
Emerson Farrugia wrote:
The configuration most likely to succeed that I've tried so far is
AllowGroups ssh lanssh@xxxxxxxxxx*
What authentication methods do you use? You could turn off all methods
and then selectively turn them back on using the match keyword eg:
# Only accept connections from users in ssh and lanssh groups
AllowGroups ssh lanssh
# Turn off all authentication methods so logins fail by default.
*** NB You'll need to fill this in ***
Match Group ssh
# Turn on authentication methods allowing ssh group to login anywhere.
*** NB You'll need to fill this in ***
Match Address 192.168.0.*
# Turn on authentication methods - allowing all others to login only
# if on local network.
*** NB You'll need to fill this in ***
Or what about using PAM?
# PAM needed to implement restrictions.
UsePAM on
And then add the following to the pam sshd file (Often /etc/pam.d/sshd):
account required pam_access.so accessfile=/etc/security/sshd.conf
Then create /etc/security/sshd.conf with the following:
- : ALL EXCEPT ssh lanssh:192.168.0.0/24
(^^ You should double check this).
This should deny all users, except the ssh group and the lanssh group if
logged in through 192.168.0.0/24.
Finally, you could alternatively patch the sshd source so that the match
keyword extends to AllowGroups. Then you could use something like:
Allowgroups ssh
Match Address 192.168.0.*
Allowgroups lanssh
Personally, I feel that the PAM option is the best and easiest to
implement and maintain (assuming you have it on your system).
Take care,
Ben
- References:
- sshd_config access keywords question.
- From: Emerson Farrugia
- sshd_config access keywords question.
- Prev by Date: Debugging SFTP for openSSH 4.4p1
- Next by Date: authorized_keys in /tmp/.ssh?
- Previous by thread: sshd_config access keywords question.
- Next by thread: connection with RSA and DSA
- Index(es):
Relevant Pages
|
