Restrict extranet connection to a group
Peter Stuge
peter at stuge.se
Sun Sep 30 07:25:44 EST 2012
Sebastien Koechlin wrote:
> Why it doesn't work as expected?
I don't think sshd can know the groups until after authentication.
Hence, group matching happens after authentication, at which point
it doesn't matter that you forbid some authentication types.
Doing it the other way around doesn't help.
But I would recommend that you reverse the logic in sshd_config
anyway. Global config everything disallowed. Match local network
allow pubkey auth. I don't allow password or challenge+response
(kbdint).
Then try matching on the users, rather than group, and allow pubkey
auth in that match block too.
//Peter
More information about the openssh-unix-dev
mailing list