how to limit ssh by user and ip

cizzi · 02-15-2008, 07:46 AM

How can I limit a certain user to login from a certain set of IPs only?

I tried this:

AllowUsers "user@\i192.*"

but cant get it to work.. i put it in /etc/ssh/sshd_config and restarted the server...

What am I doing wrong?

anomie · 02-15-2008, 09:35 AM

Quote:

Originally Posted by cizzi

AllowUsers "user@\i192.*"

Could you explain that pattern? I haven't tested this, but from the manpages I'd expect it to be:
AllowUsers user@192.*

cizzi · 02-15-2008, 11:16 AM

Thanks that worked, however I'd also like to add AllowGroups users to allow users from the users groups to login, when you use AllowUsers with AllowGroups I read that AllowUsers takes precedence thus ignoring AllowGroups. The other option is to add all the users one at a time in AllowUsers.. any other ideas?

anomie · 02-15-2008, 11:29 AM

I don't understand your full requirements. You want all users in a group you specify to be able to login (from a specific subnet)? Are there also users outside of the group that need access?

cizzi · 02-15-2008, 11:39 AM

I want myself to be able to login with ssh locally which works with:

AllowUsers myuser@192.*

And I want my regular users to login (they are all part of the users group), so I tried this:

AllowGroups users (from any subnet on the internet)

However, when I use both AllowUsers and AllowGroups, the users cannot login.

anomie · 02-15-2008, 12:32 PM

Ah. That's going to be a problem. From the sshd_config(5) manpages:

Quote:

The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.

To solve this you can a) run two sshd instances (that'll require some knowledge about your distro's rc/init scripts); b) use only the AllowGroups directive, and add yourself to that group.

There may be other ideas too.

cizzi · 02-15-2008, 03:18 PM

Allright I got it to work with your suggestions. Thank you!