Limit SSH access for users from defined source address

Benjamin SANS sans.benjamin at gmail.com
Thu Jun 30 21:31:43 EST 2011 

Martin Čmelík wrote:
> Hi all,
> 
> let me describe my environment and problem.
> 
> System is RHEL 5.6 with latest stable OpenSSH.
> 
> In sshd_config is defined "AllowGroups sshusers" but I need limitation
> to some of users in group to have access only from defined IP address.
> 
> As I know this can be setup in sshd_config only for AllowUsers, but
> users in group are changed so I must use allowgroups instead of
> allowusers.
> 
> I have modified /etc/pam.d/sshd
> 
> #%PAM-1.0
> auth       include      system-auth
> account    required     pam_access.so accessfile=/etc/security/access-sshd.conf
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    required     pam_loginuid.so
> 
> and setup access file /etc/security/access-sshd.conf
> 
> - : user1 : ALL EXCEPT 1.1.1.1
> - : user2 : ALL EXCEPT 2.2.2.2
> 
> This setup works fine. I'm able to login from defined sources, but
> only via password authentication.
> 
> When I use ssh keys I'm unable to login and in /var/log/secure is this log

Hi Martin,

Maybe you could define a Match block like the following:

Match Address x.x.x.0/y
    PubkeyAuthentication yes

> 
> --attached--
> 
> .ssh directory and authorized_keys have permissions 600
> 
> I know that it is more related to PAM modules, but I hope that
> somebody of you can help me more then PAM developers.
> 
> Thank you for any feedback!
> 
> Best regards,
> 
>> Martin Čmelík
> 
> http://www.security-portal.cz
> http://www.securix.org
> Contact me: martin.cmelik at gmail.com
> Save a tree - kill a beaver

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Regards,

-- 
Benjamin SANS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110630/3553aefa/attachment.bin>

More information about the openssh-unix-dev mailing list