| View previous topic :: View next topic |
| Author |
Message |
linuxpyro
Apprentice
Joined: 08 Sep 2004
Posts: 255
|
 Posted: Mon Aug 14, 2006 12:07 am Post subject: SSH access restricted by IP |
 |
|
Hello, I have a strange situation with the OpenSSH server which I have not been able to find much info on. Is it possible to restrict a certain group of users to log in from only one IP address? I know it's possible to only allow logins from one IP, but I would like to only have this for users of one group.
Can this work?
Thanks in advance. |
|
| Back to top |
|
 |
HeXiLeD
Veteran
Joined: 20 Aug 2005
Posts: 1159
Location: Online
|
| Posted: Mon Aug 14, 2006 1:57 am Post subject: |
|
|
Yes and it can be done with iptables in a fast way. allowing only the wanted ip to connect to sshd/port and droping everything else to that port/service.
you may also want to check these:
www.faqs.org/docs/securing/chap15sec121.html
http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_Swatch
for more security you may also want to check about these options:
LoginGraceTime
PermitRootLogin <no>
StrictModes
MaxAuthTries
Allow users
RhostsRSAAuthentication
PasswordAuthentication
PermitEmptyPassword
_________________
Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244 |
|
| Back to top |
|
|
linuxpyro
Apprentice
Joined: 08 Sep 2004
Posts: 255
|
| Posted: Mon Aug 14, 2006 5:17 am Post subject: |
|
|
This is a little tough to explain; I'm sorry for being a little unclear. I want to have it set up so users who are members of a particular group can only log into SSH from one IP. I have another group of users who I want to be able to log in from anywhere.
If I could override the host option in the ssh_config file for a handful of users, that would be great.
Thanks for the info, though; I'll keep at it.  |
|
| Back to top |
|
|
HeXiLeD
Veteran
Joined: 20 Aug 2005
Posts: 1159
Location: Online
|
| Posted: Sat Aug 19, 2006 9:48 pm Post subject: |
|
|
Read a bit on how to use /etc/hosts.allow and /etc/hosts.deny . You can also use them for what you want to do.
_________________
Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244 |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Sun Aug 20, 2006 6:34 am Post subject: |
|
|
| linuxpyro wrote: | | This is a little tough to explain; I'm sorry for being a little unclear. I want to have it set up so users who are members of a particular group can only log into SSH from one IP. I have another group of users who I want to be able to log in from anywhere. |
Can this be key based authentication? If so, the first group (limited by IP), you can add additional restrictions to their key.
| Code: | | from="xxx.xxx.xxx.xxx" ssh-dss AAAAB3NzaC1kcasdfasdfasdf5K8Y5Mpy/WVRr2pozQZSTJ... rest of key |
Just a thought.
hanji |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Sun Aug 20, 2006 9:56 am Post subject: |
|
|
| linuxpyro wrote: | | This is a little tough to explain; I'm sorry for being a little unclear. I want to have it set up so users who are members of a particular group can only log into SSH from one IP. I have another group of users who I want to be able to log in from anywhere. |
should do the trick: | /etc/ssh/sshd_config: | AllowGroups powerusers
AllowUsers user1@ip user2@ip user3@ip user4@ip |
Users listed in AllowUsers are restricted to one ip, all others (which must be members of powerusers) are allowed from everywhere. Of course if the number of ip-restricted users is too high this gets annoying to configure.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
|
Networking & Security
