[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] resctrict ssh to localnet for some users but not for others.



On 27/11/01, martin f krafft wrote:
> * op <ol1@v10a.com> [2001.11.27 10:23:57+0100]:
> > I specify  the users in /ets/ssh/sshd_config who are allowed to connect via 
> > ssh. But I'd like some more control. I'd like to control which subnets user x 
> > can connect from. Some should be allowed to connect from anywhere but some 
> > should only be able to conect from the local network.
> 
> nope, this isn't possible with the current sshd. an interesting
> feature though...
> 
> you could write a custom shell that checks the IP after login and only
> spawns a shell when it's from an OK subnet...

|     AllowUsers
|             This keyword can be followed by a list of user names, separated
|             by spaces.  If specified, login is allowed only for users names
|             that match one of the patterns.  `*' and `'?  can be used as
|             wildcards in the patterns.  Only user names are valid; a numeri­
|             cal user ID is not recognized.  By default login is allowed
|             regardless of the user name.  If the pattern takes the form
|             USER@HOST then USER and HOST are separately checked, restricting
|             logins to particular users from particular hosts.

Well, this option for the sshd is at least available in the latest cvs
of OpenSSH and is as far as I remember also availale in in the latest
official release (3.0p1). So at least it's possible to restrict a user
to come from a certain host. But I'm thinking it won't work with Subnets
or Host-Patterns so far. And I'm not really sure if it's that easy to
extend the functionality of this option to subnets.

Christian
-- 
           Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpqjCcJ5ZlGx.pgp
Description: PGP signature


Reply to: