user at host in AllowUsers

Allan Stokes june01 at stokes.ca
Thu Jun 14 07:04:18 EST 2001


I have a number of development machines behind my OpenBSD firewall which all
provide a very permissive development account (and easy sudo).  I don't want
this account exposed on the internet side of the firewall, so I created a
doorstep account with no perms and really long passwords to get anywhere
useful.

I looked through the SSH book and it gave me the impression that I could set
up these rules:

AllowUsers  wiz@*.myhouse.nat
AllowUsers  doorstep@*

But when I tested it was clear that OpenSSH 2.9 doesn't support this syntax.
Then I searched this list and I found a post from June 4 by Andrew Tridgell
supplying a patch to provide exactly this functionality.

Actually I initially thought there might be an ipf-like syntax:

AllowUsers  wiz at xl0

The other option is to run different instances of sshd bound to different
interfaces, with different config files.  I'd rather not.

Andrew's patch would do the job just fine.  I hope it gets incorporated,
especially since the SSH book implies that this kind of access control is
possible.

Allan




More information about the openssh-unix-dev mailing list