On 27/11/01, martin f krafft wrote:
> * op <ol1@v10a.com> [2001.11.27 10:23:57+0100]:
> > I specify the users in /ets/ssh/sshd_config who are allowed to connect via
> > ssh. But I'd like some more control. I'd like to control which subnets user x
> > can connect from. Some should be allowed to connect from anywhere but some
> > should only be able to conect from the local network.
>
> nope, this isn't possible with the current sshd. an interesting
> feature though...
>
> you could write a custom shell that checks the IP after login and only
> spawns a shell when it's from an OK subnet...
| AllowUsers
| This keyword can be followed by a list of user names, separated
| by spaces. If specified, login is allowed only for users names
| that match one of the patterns. `*' and `'? can be used as
| wildcards in the patterns. Only user names are valid; a numeri
| cal user ID is not recognized. By default login is allowed
| regardless of the user name. If the pattern takes the form
| USER@HOST then USER and HOST are separately checked, restricting
| logins to particular users from particular hosts.
Well, this option for the sshd is at least available in the latest cvs
of OpenSSH and is as far as I remember also availale in in the latest
official release (3.0p1). So at least it's possible to restrict a user
to come from a certain host. But I'm thinking it won't work with Subnets
or Host-Patterns so far. And I'm not really sure if it's that easy to
extend the functionality of this option to subnets.
Christian
--
Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpqjCcJ5ZlGx.pgp
Description: PGP signature