[nycbug-talk] Restricting OpenSSH by account/IP
Jesse Callaway
jesse
Tue Mar 15 17:35:14 EST 2005
On Tue, Mar 15, 2005 at 04:57:23PM -0500, steverieger wrote:
>
>
>
> On 3/15/05 4:24 PM, "pete wright" <nomadlogic at gmail.com> wrote:
>
> > On Tue, 15 Mar 2005 16:17:30 -0500, Paul Dlug <paul at aps.org> wrote:
> >>
> >> On Mar 15, 2005, at 2:14 PM, pete wright wrote:
> >
> >
> > hmmm...i see what you mean. I was under the assumtion that sshd would
> > pass on the auth. to what ever Unix authentication method you are
> > using (PAM, Kerberos or what ever). At least that is how it behaves
> > on my systems (and I believe that by default PAM is enabled in
> > OpenSSH), not sure how you have things setup though.
> >
> > -p
> >
> May I propose the following
>
>
> Use ldap for ssh authentication and only allow ssh to listen to one ip
> address.
>
>
> Or perhaps I am missing something here.
>
I think you have to step down to ssh version 1, and use the RSAandRhosts deal. This means putting the right IP's in the user's .rhosts file.
or, yeah, the firewall thing sounds good. SSH only for OutSideSSHIPs, which is defined to be this and that IP. You could then even have a little form on your intranet for keeping track of the IPs. whatismyipaddress.com has popups, but gets the trick done if you want to tell people to go there and email you.
-jesse
More information about the talk
mailing list