Restrict extranet connection to a group
Sebastien Koechlin
seb.ssh at koocotte.org
Sun Sep 30 06:24:43 EST 2012
Hello,
I have a question about sshd and I'm unable to find an answer, I checked the
man page, the FAQ, the archives of the mailing list without success.
I'm in a small organization with a single server (Stable Linux Debian). It's
connected to two networks: local-network and internet.
>From the local network, everybody is allowed to do SSH (sftp in fact) but I
want to restrict SSH connection coming from Internet to a group of users
(this group is named ssh, users within this group should be the only ones
allowed to connect from Internet).
I tried to deny any login method to users not on the local network and not
in the ssh group by writing into /etc/ssh/sshd_config the following section:
Match Address !192.168.0.0/16 Group !ssh
KbdInteractiveAuthentication no
KerberosAuthentication no
PasswordAuthentication no
PubkeyAuthentication no
RSAAuthentication no
But it does not work: I can login with password using a user not in the ssh
group. I am doing it wrong? Why it doesn't work as expected? Is it
possible?
Thanks,
--
Sebastien Koechlin
More information about the openssh-unix-dev
mailing list