There's a way to restrict access to a user account or set of user accounts via PAM (and by extension, SSH)—the obviously named pam_access module. It's available on Gentoo Linux in sys-libs/pam, and on Debian Linux (and I assume the derivatives) in libpam-modules.
In order to enable this module for SSH, you have to edit the SSH's PAM file (Gentoo: /etc/pam.d/sshd; Debian: /etc/pam.d/ssh) to enable the access module: account required pam_access.so
There's some pretty good documentation in /etc/security/access.conf (at least, in the default distribution of it) on how to configure the file, but one thing that it doesn't say explicitly is that you can use IP address blocks in CIDR notation to denote access privileges. For instance, if I wanted to limit bob to the local network (192.168.0.*) and the VPN (172.16.*). The configuration line for that would be:
-:ALL EXCEPT bob:192.168.0.0/24 172.16.0.0/16
Posts
6 comments:
bad description, talks about a few file then says The configuration line for that would be:
-:ALL EXCEPT bob:192.168.0.0/24 172.16.0.0/16
but yet why do you not tell someone what file that config line goes in.
if I wanted to limit bob to the local network
why are we limiting bob to a network. this is about limiting an ip to ssh access. wtf are you talking about
Anonymous (1) said:
but yet why do you not tell someone what file that config line goes in.
Reread the first line of the third paragraph carefully.
Anonymous (2) said:
why are we limiting bob to a network. this is about limiting an ip to ssh access. wtf are you talking about
Nope, sorry. This is about limiting SSH logins for certain users to certain IP addresses. But thanks for playing!
"-:ALL EXCEPT bob:192.168.0.0/24" didn't work for me, and the "bob" account could still be accessed from any IP..
However, "+:bob:192.168.0.0/24" in combination with "-:ALL:ALL" works..
anonymous(3):
Interesting. My solution worked for me on Debian Etch. It's too bad I couldn't use the solution you discuss, as a whitelist would be impractical where I used to work.
This line should be in access.conf
But by typing
-:ALL EXCEPT bob:192.168.0.0/24 172.16.0.0/16
All users will be denied access from 192.168.0.0 network except bob!
Better way of restricting access to specific user is to use DenyUsers or DenyGroups directives in /etc/ssh/sshd_config file.
Cheers
Post a Comment