LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-06-2013, 06:45 AM   #1
piramiday
LQ Newbie
 
Registered: Sep 2013
Posts: 20

Rep: Reputation: Disabled
sshd 'match' statement


I'd like to write in my /etc/ssh/sshd_config file a complex statement, something like:
Code:
PasswordAuthentication yes
Match User john
   PasswordAuthentication no
Match User john Address 192.168.0.100
   PasswordAuthentication yes
the idea would be to accept password logins for every user, but for john implement more strict rules such as allowing password logins only from a certain IP address.

... unfortunately, this does NOT work. can you tell me why?
 
Old 09-06-2013, 09:40 AM   #2
bradvan
Member
 
Registered: Mar 2009
Posts: 200

Rep: Reputation: 41
You match pattern in the second section needs to be a comma-separated list. Check out https://bbs.archlinux.org/viewtopic.php?id=121945 for a reference.
 
Old 09-06-2013, 09:51 AM   #3
piramiday
LQ Newbie
 
Registered: Sep 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
thank you for your reply.

it seemed to be the right answer, but even with the comma:
Code:
PasswordAuthentication yes
Match User john
   PasswordAuthentication no
Match User john, Address 192.168.0.100
   PasswordAuthentication yes
the former statement overrides the latter, so that user john from address 192.168.0.100 does not have password authentication enabled.
 
Old 09-06-2013, 10:04 AM   #4
piramiday
LQ Newbie
 
Registered: Sep 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
I think I got it!

the problem was NOT the comma (it works fine without it, too), but the ORDER of the two 'match' statements.
Code:
PasswordAuthentication yes
Match User john Address 192.168.0.100
   PasswordAuthentication yes
Match User john
   PasswordAuthentication no
works as it should: login requests for user john are accepted from 192.168.0.100 and rejected from 192.168.0.66, with any other user unaffected.

 
Old 09-06-2013, 10:28 AM   #5
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,566
Blog Entries: 1

Rep: Reputation: Disabled
Great Job!
I used it on my DorkBlog too!
 
Old 09-09-2013, 05:11 AM   #6
piramiday
LQ Newbie
 
Registered: Sep 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
I'm honored, Habitual! (:
I'd like to add a few words about the problem, though, for future reference.

the point is to control access for user john from a certain IP address without dependence from default configuration, that is, retaining the secure behaviour even after a change to the default one.

what I mean is: this setup would be straightforward:
Code:
PasswordAuthentication no
Match User john Address 192.168.0.100
   PasswordAuthentication yes
but changing from "PassAuth no" to "PassAuth yes" in the default case (first line) would break down the security of this last example (john from 192.168.0.66 would fall into the 'default' case and thus would be able to login), but it does not break the security of the earlier 'double-match' one (since the two cases do not rely on the default one).

cheers!

Last edited by piramiday; 09-09-2013 at 05:12 AM. Reason: clarity.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] if statement regex match for white spaces ted_chou12 Programming 4 04-09-2011 05:23 AM
ISC DHCP Class match statement don_wombat_73 Linux - Server 3 02-15-2011 10:03 PM
gawk statement to match range of filed for string pgb205 Programming 2 07-30-2010 10:50 PM
[SOLVED] Shell script for adding a statement in a file after a particular statement TheIndependentAquarius Programming 4 06-28-2010 04:07 AM
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 05:59 AM


All times are GMT -5. The time now is 02:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration