[nycbug-talk] Restricting OpenSSH by account/IP
Rick Aliwalas
rick
Tue Mar 15 10:12:04 EST 2005
On Tue, 15 Mar 2005, Paul Dlug wrote:
> The problem I have is that I have a host open to the outside for SSH used by
> various remote employees and people working from home. This same host has a
> number of accounts that users SSH into from their desktops. Some of these
> accounts are shared between users (yes this is bad!) so they have insecure
> passwords.
>
> I would like to restrict the range of IP's that a specific account can
> connect from. I can't seem to find a way to do this, PAM seems to only give
> me a way to authorize a user to use SSH as a whole service, not by the IP
> address.
If you're using ssh keys, you can pre-pend the pub keys w/ something like:
"from=IP,IP,..."
or
from="*.foo.com,192.168.*,test.bar.com"
If you're using OpenBSD, you could use authpf.
-rick
More information about the talk
mailing list