Re: Can a daemon listen only on some interfaces?

To: Guillem Jover <guillem.jover@menta.net>
Cc: debian-security@lists.debian.org
Subject: Re: Can a daemon listen only on some interfaces?
From: mdevin <mdevin@ozemail.com.au>
Date: Mon, 10 Dec 2001 10:00:19 +1000
Message-id: <[🔎] 20011210100018.A1171@flea.home>
Mail-followup-to: Guillem Jover <guillem.jover@menta.net>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20011209043035.A372@zulo.earth>; from guillem.jover@menta.net on Sun, Dec 09, 2001 at 04:30:35AM +0100
References: <[🔎] 20011208132516.A13626@marmite.its.uct.ac.za> <[🔎] 20011209000626.B5288@beast.home> <[🔎] 20011209043035.A372@zulo.earth>

On Sun, Dec 09, 2001 at 04:30:35AM +0100, Guillem Jover wrote:
> On Sun, Dec 09, 2001 at 12:06:26AM +1000, mdevin@ozemail.com.au wrote:
> > I do want sshd to listen on all (0.0.0.0) but I would like to find a way
> > to make it only accept connection attempts for a certain user from the
> > internet but still allow several other users to connect from the LAN.  I
> > do know how to make it accept connections for only certain users - by
> > using the AllowUsers config item in /etc/ssh/sshd_config.  But this
> > allows all the users specified, to connect on all interfaces ssh listens
> > on, which is not what I want ideally.  What would be better, is to allow
> > several from the LAN to connect but only one (me) from the internet.
> > This doesn't seem possible from my reading so far.  Oh well.
> 
> you may use pam, look at this previous post:
> 
> http://lists.debian.org/debian-security/2001/debian-security-200111/msg00395.html
>
Thanks for that.  It is a different approach to solve the problem.

Here is what I did:

First I created two new groups: ssh-lan (for users allowed to ssh in
from the LAN) and ssh-remote (for users allowed to ssh from anywhere).

Then in /etc/security/access_conf I put the following:
----------------- snip ---------------------------
# Allow group ssh-lan to connect from the LAN
+:ssh-lan:192.168.0.

# Allow group ssh-remote to connect from anywhere
+:ssh-remote:ALL

# Disallow non-local logins for everyone else
-:ALL:ALL EXCEPT LOCAL
------------------ snip ---------------------------

Then in /etc/pam.d/ssh I put the following:
------------------ snip ---------------------------
# Access limits
account  required       pam_access.so
------------------ snip ---------------------------

After some testing, it does seem to do what I hoped.  Only those users
that are in ssh-lan can ssh in from the LAN and only those in ssh-remote
can ssh in from anywhere.  No one else can log in remotely at all.

The only remaining question I have is:  Is this the correct way to use
the - and + permission setting in /etc/security/access_conf ?  'Cause
what I have done here is to allow specific users first and then disallow
all by default.  It seems to work so I can only presume that it is a
case of the first matching rule wins.  Is this correct?

Cheers and thanks for the insight.
Mark.

Attachment: pgpfuyHXxQGD6.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Can a daemon listen only on some interfaces?
  - From: Guillem Jover <guillem.jover@menta.net>

References:
- Re: Can a daemon listen only on some interfaces?
  - From: Michael Wood <mwood@its.uct.ac.za>
- Re: Can a daemon listen only on some interfaces?
  - From: mdevin@ozemail.com.au
- Re: Can a daemon listen only on some interfaces?
  - From: Guillem Jover <guillem.jover@menta.net>

Prev by Date: Re: Fw: Can a daemon listen only on some interfaces?
Next by Date: Re: Fw: Can a daemon listen only on some interfaces?
Previous by thread: Re: Can a daemon listen only on some interfaces?
Next by thread: Re: Can a daemon listen only on some interfaces?
Index(es):
- Date
- Thread