Limit SSH access for users from defined source address

Martin Čmelík martin.cmelik at
Thu Jun 30 21:15:18 EST 2011

Hi all,

let me describe my environment and problem.

System is RHEL 5.6 with latest stable OpenSSH.

In sshd_config is defined "AllowGroups sshusers" but I need limitation
to some of users in group to have access only from defined IP address.

As I know this can be setup in sshd_config only for AllowUsers, but
users in group are changed so I must use allowgroups instead of

I have modified /etc/pam.d/sshd

auth       include      system-auth
account    required accessfile=/etc/security/access-sshd.conf
account    required
account    include      system-auth
password   include      system-auth
session    optional force revoke
session    include      system-auth
session    required

and setup access file /etc/security/access-sshd.conf

- : user1 : ALL EXCEPT
- : user2 : ALL EXCEPT

This setup works fine. I'm able to login from defined sources, but
only via password authentication.

When I use ssh keys I'm unable to login and in /var/log/secure is this log


.ssh directory and authorized_keys have permissions 600

I know that it is more related to PAM modules, but I hope that
somebody of you can help me more then PAM developers.

Thank you for any feedback!

Best regards,

Martin Čmelík
Contact me: martin.cmelik at
Save a tree - kill a beaver

More information about the openssh-unix-dev mailing list