Limit SSH access for users from defined source address
Martin Čmelík
martin.cmelik at gmail.com
Thu Jun 30 21:15:18 EST 2011
Hi all,
let me describe my environment and problem.
System is RHEL 5.6 with latest stable OpenSSH.
In sshd_config is defined "AllowGroups sshusers" but I need limitation
to some of users in group to have access only from defined IP address.
As I know this can be setup in sshd_config only for AllowUsers, but
users in group are changed so I must use allowgroups instead of
allowusers.
I have modified /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_access.so accessfile=/etc/security/access-sshd.conf
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
and setup access file /etc/security/access-sshd.conf
- : user1 : ALL EXCEPT 1.1.1.1
- : user2 : ALL EXCEPT 2.2.2.2
This setup works fine. I'm able to login from defined sources, but
only via password authentication.
When I use ssh keys I'm unable to login and in /var/log/secure is this log
--attached--
.ssh directory and authorized_keys have permissions 600
I know that it is more related to PAM modules, but I hope that
somebody of you can help me more then PAM developers.
Thank you for any feedback!
Best regards,
—
Martin Čmelík
http://www.security-portal.cz
http://www.securix.org
Contact me: martin.cmelik at gmail.com
Save a tree - kill a beaver
More information about the openssh-unix-dev
mailing list