Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
See AllowUsers in sshd_config(5), and the accompanying PATTERNS section in ssh_config(5). Together, they allow you to whitelist account@subnet, account@other-subnet, etc.
All else is denied by default. An alternative to this would be using pam_access(8) to whitelist an entire group@subnet. (We need to know what OS / version you're using in order to help further.)
restrict normal users to SFTP/SCP. This is easy done by setting the account to /sbin/nologin.
prevent root/admin users from gaining shell access outside of certain IP block. In other words, these users have to VPN in to gain shell access.
I don't have the ability to restrict by IP address at the firewall layer unfortunately. Any ideas here?
If I'm understanding what you're saying correctly, you should be able to use the AllowUsers (or DenyUsers) parameters in sshd_config would be what you're after.
...so root could only log in from the 10.11.12 network, and be denied if they're coming in on the 192.* network. Which, if they're VPN'ed in, I'm assuming their subnet will be identifiable, and able to be put in here. You can even allow/deny to ONE address itself.
EDIT: Dangit, I was typing when the other two replies came in.
I could go RTFM but just for fun conversation, just by doing DenyUser root@192.168.* without an explicit AllowUsers root@* will root still be able to login say from 172.16.5.20?
@td3201: I'd expect it to, but am not sure. That's one of those scenarios that is best to personally test and observe.
Again, if you find that sshd(8)'s allow/deny pattern directives are not quite meeting your needs, be sure to consider pam_access(8). It offers a little more flexibility, IMO.
I ended up going with pam_access on this for now but I may have a gap here.
1. No changes to sshd_config other than PermitRootLogin = no
2. /etc/security/access.conf looks like this (DOMAIN\foo is a Active Directory group):
+:DOMAIN\foo:10.
-:DOMAIN\foo:ALL
This works pretty well but anyone part of the domain outside of DOMAIN\foo can login. I need to be able to allow local users to login. Naturally, I can add them to a group and then put them in access.conf but I would prefer to just exclude any other domain logins such as this:
-:*\*:ALL
Actually, thinking about this further. I want to explicitly require that users be added to a specific group for SFTP access so I ended up with this (sftp is a local group):
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
SFTP/SCP only per account
OMAIN\foo,sftp:10
