Limit SSH access for users from defined source address

Martin Čmelík martin.cmelik at gmail.com
Thu Jun 30 21:36:34 EST 2011 

Hi Benjamin,

Match Access is new feature in OpenSSH 5.1, but I have OpenSSH_4.3p2.
If I wrote "latest stable openssh" I means latest stable in RHEL 5.6

Thank you

—
Martin Čmelík

http://www.security-portal.cz
http://www.securix.org
Contact me: martin.cmelik at gmail.com
Save a tree - kill a beaver




2011/6/30 Benjamin SANS <sans.benjamin at gmail.com>:
> Martin Čmelík wrote:
>> Hi all,
>>
>> let me describe my environment and problem.
>>
>> System is RHEL 5.6 with latest stable OpenSSH.
>>
>> In sshd_config is defined "AllowGroups sshusers" but I need limitation
>> to some of users in group to have access only from defined IP address.
>>
>> As I know this can be setup in sshd_config only for AllowUsers, but
>> users in group are changed so I must use allowgroups instead of
>> allowusers.
>>
>> I have modified /etc/pam.d/sshd
>>
>> #%PAM-1.0
>> auth       include      system-auth
>> account    required     pam_access.so accessfile=/etc/security/access-sshd.conf
>> account    required     pam_nologin.so
>> account    include      system-auth
>> password   include      system-auth
>> session    optional     pam_keyinit.so force revoke
>> session    include      system-auth
>> session    required     pam_loginuid.so
>>
>> and setup access file /etc/security/access-sshd.conf
>>
>> - : user1 : ALL EXCEPT 1.1.1.1
>> - : user2 : ALL EXCEPT 2.2.2.2
>>
>> This setup works fine. I'm able to login from defined sources, but
>> only via password authentication.
>>
>> When I use ssh keys I'm unable to login and in /var/log/secure is this log
>
> Hi Martin,
>
> Maybe you could define a Match block like the following:
>
> Match Address x.x.x.0/y
>    PubkeyAuthentication yes
>
>>
>> --attached--
>>
>> .ssh directory and authorized_keys have permissions 600
>>
>> I know that it is more related to PAM modules, but I hope that
>> somebody of you can help me more then PAM developers.
>>
>> Thank you for any feedback!
>>
>> Best regards,
>>
>>>> Martin Čmelík
>>
>> http://www.security-portal.cz
>> http://www.securix.org
>> Contact me: martin.cmelik at gmail.com
>> Save a tree - kill a beaver
>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> Regards,
>
> --
> Benjamin SANS
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJODF6fAAoJEHLbIppktU5GhvcH/1Q0EdGa5mS8ksRpX4pzAJR3
> BAz6lWYGJ8CVR/8EcVsvspWccmSvzSnTOHavo2pQvB2VA7nrdFrLD/Wcaq8BIyrv
> WZnQ5ZjtcYM2BWFpY04HMyTRnQp2l6ghRcw6NsVskcS697iAdXr1snm98QohKBGo
> UFPQ06IcQZln2oUxSHa6qntkahRW9Ob1+Wbxf+u1lPdOP5VUi5d/NOmznDbdg+w5
> b2ymANYBjD8UCG9Dp0CrlwVBEEDq7PuLKOWeiM/gXQBI9x6R9pX/fLBN9ZrvjfkI
> xXgcW04hO1PetEYIMrMNZ7uMZJwKIwd/X/FGMtDDOKgmpdEc3ZUcvfq0A7JIEdI=
> =3Y7q
> -----END PGP SIGNATURE-----
>
>

More information about the openssh-unix-dev mailing list