[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can a daemon listen only on some interfaces?

On Sun, Dec 09, 2001 at 04:30:35AM +0100, Guillem Jover wrote:
> On Sun, Dec 09, 2001 at 12:06:26AM +1000, mdevin@ozemail.com.au wrote:
> > I do want sshd to listen on all ( but I would like to find a way
> > to make it only accept connection attempts for a certain user from the
> > internet but still allow several other users to connect from the LAN.  I
> > do know how to make it accept connections for only certain users - by
> > using the AllowUsers config item in /etc/ssh/sshd_config.  But this
> > allows all the users specified, to connect on all interfaces ssh listens
> > on, which is not what I want ideally.  What would be better, is to allow
> > several from the LAN to connect but only one (me) from the internet.
> > This doesn't seem possible from my reading so far.  Oh well.
> you may use pam, look at this previous post:
> http://lists.debian.org/debian-security/2001/debian-security-200111/msg00395.html
Thanks for that.  It is a different approach to solve the problem.

Here is what I did:

First I created two new groups: ssh-lan (for users allowed to ssh in
from the LAN) and ssh-remote (for users allowed to ssh from anywhere).

Then in /etc/security/access_conf I put the following:
----------------- snip ---------------------------
# Allow group ssh-lan to connect from the LAN

# Allow group ssh-remote to connect from anywhere

# Disallow non-local logins for everyone else
------------------ snip ---------------------------

Then in /etc/pam.d/ssh I put the following:
------------------ snip ---------------------------
# Access limits
account  required       pam_access.so
------------------ snip ---------------------------

After some testing, it does seem to do what I hoped.  Only those users
that are in ssh-lan can ssh in from the LAN and only those in ssh-remote
can ssh in from anywhere.  No one else can log in remotely at all.

The only remaining question I have is:  Is this the correct way to use
the - and + permission setting in /etc/security/access_conf ?  'Cause
what I have done here is to allow specific users first and then disallow
all by default.  It seems to work so I can only presume that it is a
case of the first matching rule wins.  Is this correct?

Cheers and thanks for the insight.

Attachment: pgpfuyHXxQGD6.pgp
Description: PGP signature

Reply to: