Thursday, April 12, 2007

HOWTO restrict ssh access by IP and user

There's a way to restrict access to a user account or set of user accounts via PAM (and by extension, SSH)—the obviously named pam_access module. It's available on Gentoo Linux in sys-libs/pam, and on Debian Linux (and I assume the derivatives) in libpam-modules.

In order to enable this module for SSH, you have to edit the SSH's PAM file (Gentoo: /etc/pam.d/sshd; Debian: /etc/pam.d/ssh) to enable the access module: account required pam_access.so

There's some pretty good documentation in /etc/security/access.conf (at least, in the default distribution of it) on how to configure the file, but one thing that it doesn't say explicitly is that you can use IP address blocks in CIDR notation to denote access privileges. For instance, if I wanted to limit bob to the local network (192.168.0.*) and the VPN (172.16.*). The configuration line for that would be:

-:ALL EXCEPT bob:192.168.0.0/24 172.16.0.0/16

6 comments:

Anonymous said...

bad description, talks about a few file then says The configuration line for that would be:

-:ALL EXCEPT bob:192.168.0.0/24 172.16.0.0/16

but yet why do you not tell someone what file that config line goes in.

Anonymous said...

if I wanted to limit bob to the local network

why are we limiting bob to a network. this is about limiting an ip to ssh access. wtf are you talking about

Mark said...

Anonymous (1) said:
but yet why do you not tell someone what file that config line goes in.

Reread the first line of the third paragraph carefully.

Anonymous (2) said:
why are we limiting bob to a network. this is about limiting an ip to ssh access. wtf are you talking about

Nope, sorry. This is about limiting SSH logins for certain users to certain IP addresses. But thanks for playing!

Anonymous said...

"-:ALL EXCEPT bob:192.168.0.0/24" didn't work for me, and the "bob" account could still be accessed from any IP..

However, "+:bob:192.168.0.0/24" in combination with "-:ALL:ALL" works..

Mark said...

anonymous(3):

Interesting. My solution worked for me on Debian Etch. It's too bad I couldn't use the solution you discuss, as a whitelist would be impractical where I used to work.

Anonymous said...

This line should be in access.conf
But by typing

-:ALL EXCEPT bob:192.168.0.0/24 172.16.0.0/16
All users will be denied access from 192.168.0.0 network except bob!

Better way of restricting access to specific user is to use DenyUsers or DenyGroups directives in /etc/ssh/sshd_config file.
Cheers