more flexible AllowUsers/DenyUsers syntax
Michael A Stevens
mstevens at cmu.edu
Wed Jun 29 03:59:19 EST 2005
The easiest way to do this would be to have three sshd's running, but
listening on different IP addresses. You could give each its own config
file with the -f option and have only one of them allow root logins.
Mike
On Tue, 28 Jun 2005, Daniel Rogers wrote:
> Hi,
>
> I hope this is the right place for a feature request.
> I'd like to have more flexible AllowUsers/DenyUsers synax.
>
> I am in a situation, where I have machines connected to three networks (a
> private, high speed, a public, and a private vpn) and I'd like to enable root
> logins only on the private networks. Currently I see no way of doing this,
> because there is no way to specify a class that doesn't match. Something
> like:
> AllowUsers ~root@*
> AllowUsers root at 10.0.2.0/24
> AllowUsers root at 172.31.0.0/24
> Would be really really friggin' nice.
> Even nicer would be to have acl statements with sophistication akin to squids
> configuration.
>
> Futher, it would be really nice to be able to understand when openssh treats
> a pattern match like an ip or network and when openssh treats a pattern match
> like a host or domain name.
>
> Are any features like this planned? Is what I am asking for reasonable?
>
> --
> Daniel
>
More information about the openssh-unix-dev
mailing list