Re: User at host
- From: Barry Brimer <securityfocus@xxxxxxxxxx>
- Date: Wed, 15 Nov 2006 21:36:08 -0600 (CST)
What im wondering is, how can i make it so a user+public key will only
authenticate if the connection is coming from a certain host?
ie: user joe can come from anywhere, pending they have joes.ppk
user jim can only come from 10.10.10.10/32 pending they have jims.ppk
Does your SSH server allow password authentication, or only public key exchanges?
If your SSH server allows only key exchanges, you can modify/lock down their authorized keys file as so:
from="allowed_host" ssh-rsa ......
If your SSH server allows other types of authentication you can use the pam_access module as so:
Create a file with the following contents:
-:jim:ALL EXCEPT <authorized host(s)>
Add the line: "account required pam_access.so accessfile=</path/to/file/created/in/previous/step>
(above line must be a solid line, it should not wrap)
above other account restrictions in /etc/pam.d/sshd
As always when working with PAM, I recommend a backup of any file you will be changing and 2 root logged in terminal sessions!
Good Luck!
Barry
- References:
- User at host
- From: MR James Edward Stickland
- User at host
- Prev by Date: Tunnel goes haywire
- Next by Date: Re: Scp & sftp with no shell access or restricted access
- Previous by thread: User at host
- Next by thread: SSH Port Forwarding and X11 Question !
- Index(es):
