[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Restricting ssh access to internet but not to internal network

On Thu, 24 Nov 2005, Patrick wrote:

> I have an server running sshd on Sarge. I want all users to be able to
> access the computer from within the internal network - but restrict
> access from the internet (to users in a particular group). Can this be
> achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and
> the AllowGroup (or AllowUsers) options in sshd configuration file.

You are looking for pam_access.

weasel@lore:~$ grep -C3 access /etc/pam.d/ssh
# Standard Un*x authentication.
@include common-auth

# do etc/security/access checks
# weasel, Fri, 25 Feb 2005 12:05:42 +0100
account       required     pam_access.so # [1]

# Standard Un*x authorization.
@include common-account

weasel@lore:~$ tail -n5 /etc/security/access.conf
# weasel, Fri, 25 Feb 2005 12:06:57 +0100
+:ALL:127.
+:ALL:192.0.2.
+:weasel:ALL
-:ALL:ALL

HTH.
-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/
Reply to: