LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-09-2015, 04:44 PM   #1
humbry
LQ Newbie
 
Registered: Feb 2012
Posts: 21

Rep: Reputation: Disabled
Limit SSH user based on local IP address?


I suspect this is not possible but I'll ask.

For machine where SSHd is listening on multiple IP addresses, is it possible to block certain users logging in based on the IP address they are connecting to?

Example:
Listening on 1.2.3.4 and 5.6.7.8
User amir should be allowed to log in on 1.2.3.4 but NOT 5.6.7.8
User mary is allowed on 5.6.7.8 but not on 1.2.3.4

Again, these are the IP addresses the user is connecting TO not FROM.

I think I could do this by running multiple sshd instances but can I do it with a single one?

Last edited by humbry; 05-09-2015 at 05:47 PM.
 
Old 05-09-2015, 06:10 PM   #2
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488

Rep: Reputation: 78
You might be able to accomplish this without needing to run multiple instances of sshd for each IP you're binding if you're version of OpenSSH supports the use of Match. Should be 4.4p1 and newer, so anything recent should have it... I hope...

man sshd_config
Code:
Match   Introduces a conditional block.  If all of the criteria on the
        Match line are satisfied, the keywords on the following lines
        override those set in the global section of the config file,
        until either another Match line or the end of the file.  If a
        keyword appears in multiple Match blocks that are satisified,
        only the first instance of the keyword is applied.

        The arguments to Match are one or more criteria-pattern pairs or
        the single token All which matches all criteria.  The available
        criteria are User, Group, Host, LocalAddress, LocalPort, and
        Address.  The match patterns may consist of single entries or
        comma-separated lists and may use the wildcard and negation oper
        ators described in the PATTERNS section of ssh_config(5).

I've not used it in this manner, but maybe something like the following will work for you.

Code:
Match LocalAddress 1.2.3.4
  AllowUsers amir

Match LocalAddress 5.6.7.8
  AllowUsers mary

Last edited by rayfordj; 05-10-2015 at 05:13 PM. Reason: Correction: AllowUser -> AllowUsers
 
1 members found this post helpful.
Old 05-09-2015, 07:34 PM   #3
humbry
LQ Newbie
 
Registered: Feb 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Yes, perfect! Tested and confirmed. Couldn't have been easier.

Notice in your example, you used AllowUser which should be AllowUsers

Thank you!
 
Old 05-10-2015, 05:14 PM   #4
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488

Rep: Reputation: 78
Good catch... I was in a bit of a hurry when I was posting to you and going from memory rather than consulting the documentation. I've corrected it so anybody else coming along reviewing it will have accurate options demonstrated.

Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables limit ssh from local net robbtek Linux - Security 2 02-24-2010 06:21 PM
can I limit ssh and apache connections to one mac address? slide77 Linux - Security 3 04-19-2009 05:11 PM
When using ssh: limit the number of users, that can log on, per IP address -rate tuxhats Linux - Security 24 04-17-2009 04:23 AM
LXer: PAM configuration to limit who can use SSH Server based on a list of users LXer Syndicated Linux News 0 07-31-2006 01:36 AM


All times are GMT -5. The time now is 12:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration