[nycbug-talk] Re: OpenSSH and hosts.allow/hosts.deny

Okan Demirmen okan
Sun Nov 7 17:24:41 EST 2004

On Sun 2004.11.07 at 17:15 -0500, csnyder wrote:
> On Sat, 6 Nov 2004 21:59:39 -0500, a nice bug <nycbug at hastek.com> wrote:
> > G. Rosamond:
> > > A few weeks ago, Chris asked it you could explicitly block or allow by
> > > ip for OpenSSH.
> Really, my question was whether you can block or allow IP addresses by
> login class, when the login is processed by sshd.
> The goal was to disallow ssh login from external IPs for students
> only. Instructors and administrators would still be allowed to connect
> from anywhere.

since you have scponly, you could just use hostname from login(1)
to check if it is within your LOCAL_ADDR in a custom auth. i'm not
sure what status pf is in FreeBSD, but check out the users tag.


> It's certainly not a show-stopper, since students are given an scponly
> shell. I could use a custom port and block it at the firewall. But
> since there's already this handy login class mechanism I was surprised
> to find that FreeBSD's port of OpenSSH didn't respect it.
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month

Okan Demirmen <okan at demirmen.com>
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB3670934
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934

More information about the talk mailing list