On Sun, Dec 09, 2001 at 04:30:35AM +0100, Guillem Jover wrote: > On Sun, Dec 09, 2001 at 12:06:26AM +1000, mdevin@ozemail.com.au wrote: > > I do want sshd to listen on all (0.0.0.0) but I would like to find a way > > to make it only accept connection attempts for a certain user from the > > internet but still allow several other users to connect from the LAN. I > > do know how to make it accept connections for only certain users - by > > using the AllowUsers config item in /etc/ssh/sshd_config. But this > > allows all the users specified, to connect on all interfaces ssh listens > > on, which is not what I want ideally. What would be better, is to allow > > several from the LAN to connect but only one (me) from the internet. > > This doesn't seem possible from my reading so far. Oh well. > > you may use pam, look at this previous post: > > http://lists.debian.org/debian-security/2001/debian-security-200111/msg00395.html > Thanks for that. It is a different approach to solve the problem. Here is what I did: First I created two new groups: ssh-lan (for users allowed to ssh in from the LAN) and ssh-remote (for users allowed to ssh from anywhere). Then in /etc/security/access_conf I put the following: ----------------- snip --------------------------- # Allow group ssh-lan to connect from the LAN +:ssh-lan:192.168.0. # Allow group ssh-remote to connect from anywhere +:ssh-remote:ALL # Disallow non-local logins for everyone else -:ALL:ALL EXCEPT LOCAL ------------------ snip --------------------------- Then in /etc/pam.d/ssh I put the following: ------------------ snip --------------------------- # Access limits account required pam_access.so ------------------ snip --------------------------- After some testing, it does seem to do what I hoped. Only those users that are in ssh-lan can ssh in from the LAN and only those in ssh-remote can ssh in from anywhere. No one else can log in remotely at all. The only remaining question I have is: Is this the correct way to use the - and + permission setting in /etc/security/access_conf ? 'Cause what I have done here is to allow specific users first and then disallow all by default. It seems to work so I can only presume that it is a case of the first matching rule wins. Is this correct? Cheers and thanks for the insight. Mark.
Attachment:
pgpfuyHXxQGD6.pgp
Description: PGP signature