[nycbug-talk] Re: OpenSSH and hosts.allow/hosts.deny
Okan Demirmen
okan
Sun Nov 7 17:24:41 EST 2004
On Sun 2004.11.07 at 17:15 -0500, csnyder wrote:
> On Sat, 6 Nov 2004 21:59:39 -0500, a nice bug <nycbug at hastek.com> wrote:
> > G. Rosamond:
> > > A few weeks ago, Chris asked it you could explicitly block or allow by
> > > ip for OpenSSH.
>
> Really, my question was whether you can block or allow IP addresses by
> login class, when the login is processed by sshd.
>
> The goal was to disallow ssh login from external IPs for students
> only. Instructors and administrators would still be allowed to connect
> from anywhere.
since you have scponly, you could just use hostname from login(1)
to check if it is within your LOCAL_ADDR in a custom auth. i'm not
sure what status pf is in FreeBSD, but check out the users tag.
okan
> It's certainly not a show-stopper, since students are given an scponly
> shell. I could use a custom port and block it at the firewall. But
> since there's already this handy login class mechanism I was surprised
> to find that FreeBSD's port of OpenSSH didn't respect it.
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
--
Okan Demirmen <okan at demirmen.com>
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB3670934
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934
More information about the talk
mailing list