Only allowing users in a single group to ssh from internet
 

Hello all

I would like to set up sshd on my home linux machine so that only users in a specific group (f.ex "staff") can log in through ssh from the outside, but still allow me to ssh as root from the intranet. The reason is that I do most of my system administration by editing config files in BBEdit on my Mac, which has a "Open from SFTP server" command (which is really nice) and I'd hate to give it up just because some idiot in Japan is trying to guess my root password (yes, I've added scripts that block an address after X attempts, but still...)

Eggi

In /etc/ssh-/sshd_config you can specify:
AllowGroups %groupname
AllowUsers %username%

This will restrict access to ONLY the listed groups and/or users. Also, my advise is to keep the "RootPermitLogin no" and only su to root after logging in with your username/password.

hope this helps

Yes. See man pages sshd_conf for details.
You should disable root login and use su for access.
Changing ports helps eliminate the garbage from the script kiddies.

Thanks for the replies, guys. These are both good ideas, however, like I said in the original post, I really would like to allow root-access to the sftp subsystem from the intranet while blocking it from the outside. Are you saying that it is impossible?

Eggi

If understand your question then I think the answer is no.