Limit SSH access for users from defined source address
Benjamin SANS
sans.benjamin at gmail.com
Thu Jun 30 21:31:43 EST 2011
Martin Čmelík wrote:
> Hi all,
>
> let me describe my environment and problem.
>
> System is RHEL 5.6 with latest stable OpenSSH.
>
> In sshd_config is defined "AllowGroups sshusers" but I need limitation
> to some of users in group to have access only from defined IP address.
>
> As I know this can be setup in sshd_config only for AllowUsers, but
> users in group are changed so I must use allowgroups instead of
> allowusers.
>
> I have modified /etc/pam.d/sshd
>
> #%PAM-1.0
> auth include system-auth
> account required pam_access.so accessfile=/etc/security/access-sshd.conf
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> session optional pam_keyinit.so force revoke
> session include system-auth
> session required pam_loginuid.so
>
> and setup access file /etc/security/access-sshd.conf
>
> - : user1 : ALL EXCEPT 1.1.1.1
> - : user2 : ALL EXCEPT 2.2.2.2
>
> This setup works fine. I'm able to login from defined sources, but
> only via password authentication.
>
> When I use ssh keys I'm unable to login and in /var/log/secure is this log
Hi Martin,
Maybe you could define a Match block like the following:
Match Address x.x.x.0/y
PubkeyAuthentication yes
>
> --attached--
>
> .ssh directory and authorized_keys have permissions 600
>
> I know that it is more related to PAM modules, but I hope that
> somebody of you can help me more then PAM developers.
>
> Thank you for any feedback!
>
> Best regards,
>
> —
> Martin Čmelík
>
> http://www.security-portal.cz
> http://www.securix.org
> Contact me: martin.cmelik at gmail.com
> Save a tree - kill a beaver
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Regards,
--
Benjamin SANS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110630/3553aefa/attachment.bin>
More information about the openssh-unix-dev
mailing list