SSH

lpa · 11-05-2013, 08:37 AM

I want to allow logins into my Debian server only from 3 IP addresses.

I added the following line on top of the /etc/ssh/sshd_config file:

PHP Code:



AllowUsers = *@IP_ADDRESS_1, *@IP_ADDRESS_2, *@IP_ADDRESS_3

Restarted SSH:

PHP Code:



/etc/init.d/ssh restart

This does not work. I still can login from any IP address.

Than I tried this:

PHP Code:



AllowUsers = username1@IP_ADDRESS_1, username1@IP_ADDRESS_2, username1@IP_ADDRESS_3

The same problem - I can login from any IP address.

Any ideas?

druuna · 11-05-2013, 09:19 AM

Have you tried using this:

Code:

AllowUsers *@ip_address_1
AllowUsers *@ip_address_2
AllowUsers *@ip_address_3

You can also mix things up:

Code:

AllowUsers user_1@ip_address_1
AllowUsers *@ip_address_2
AllowUsers user_3@ip_address_3

mboelen · 11-05-2013, 01:14 PM

Try a single line first. So you can rule out the usage of three params.

lpa · 11-06-2013, 01:43 AM

I will use hosts.allow hosts.deny instead of AllowUsers which really doesn't work.

evo2 · 11-06-2013, 01:52 AM

Hi,

from the sshd_config man page:

Code:

     AllowUsers
             This keyword can be followed by a list of user name patterns, separated by spaces.

Have you tried removing the commas?

Evo2.

Turbocapitalist · 11-06-2013, 02:30 AM

[s]I'm not aware that AllowUsers or AllowGroups uses anything other than names. No addresses should be allowed, at least according to the manual page. If you are trying to limit access to specific users when they come only from specific addresses, then you need to use the Match option instead. See the manual page for sshd_config for the details.[/s]

evo2 · 11-06-2013, 03:09 AM

Hi,

Quote:

Originally Posted by Turbocapitalist

I'm not aware that AllowUsers or AllowGroups uses anything other than names. No addresses should be allowed, at least according to the manual page.

What sshd are you using?

From sshd_config(5) man page from the openssh-server 1:6.2p2-6 package in Debian:

Code:

     AllowUsers
             This keyword can be followed by a list of user name patterns, separated by spa‐
             ces.  If specified, login is allowed only for user names that match one of the
             patterns.  Only user names are valid; a numerical user ID is not recognized.
             By default, login is allowed for all users.  If the pattern takes the form
             USER@HOST then USER and HOST are separately checked, restricting logins to par‐
             ticular users from particular hosts.

Evo2.

Turbocapitalist · 11-06-2013, 03:14 AM

evo2. I stand corrected, even after having read the manual page several times. It's there though I did not see it. Thanks for catching that mistake.

The @HOST option is there in what I have, OpenSSH_6.2p2

druuna · 11-06-2013, 03:38 AM

Quote:

Originally Posted by lpa

I will use hosts.allow hosts.deny instead of AllowUsers which really doesn't work.

AllowUsers does work. Have you tried my suggestion? Making single entries instead of one long line does work on my side.

Haven't tried evo2's suggestion myself yet (removing the comma's), but it is also worth a try.

sundialsvcs · 11-06-2013, 06:35 AM

Use a firewall, instead . . .