My monitoring system uses SSH to do its business. I want the managed servers to only accept this login from 2 addresses: the IPv4 and IPv6 address of my monitoring server. Seems simple, but I can't figure out how to make that work.
I've seen several threads about exactly this, such as
this one, and I studied the manpage. What I think I should do, is tell SSH to deny this user if he's not coming from either of these 2 addresses.
These are the last lines in my sshd_config:
Code:
Match Address !12.23.45.78
DenyUsers nagios
Match Address !11:22:44:55::1
DenyUsers nagios
But it doesn't seem to do a thing, because nagios can still login from any address.
Or it could even be simpler, without any Match element:
Code:
DenyUsers nagios@!12.23.45.78 nagios@!11:22:44:55::1
Same result: nagios can login from anywhere. So I tried it the other way around: first denying access and then allowing for the 2 addresses:
Code:
DenyUsers nagios
Match Address 12.23.45.78
AllowUsers nagios
Match Address 11:22:44:55::1
AllowUsers nagios
But now nagios can't login from any address. Moving the top line to the bottom doesn't change it either. Whatever I try, nagios can either login from anywhere or nowhere at all.
I'm sure it's something small, but I can't figure out how to make this work.
Anyone?