More SSH 'trolling'

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Thu Oct 14 15:06:46 UTC 2004


Am Do, den 14.10.2004 schrieb Wouter van Vliet um 16:32:

> As for limiting ssh access only to those who need it, how would that
> be done and how can I restrict on IP and user? I've found this page
> http://doc.trustix.org/cgi-bin/trustixdoc.cgi?Restrict_SSH_Per_User
> which explains about allowing only certain users. It's cool. Now, what
> would be the user/ip combi approach?

You don't need to modify the SSH PAM module to restrict SSH connects for
specific accounts. That has been said before in this thread -> man
sshd_config --> AllowUsers + AllowGroups

Regarding IP limitation: do you users have fixed IPs? If yes, you can
use /etc/hosts.allow|.deny for that or iptables.

How should a user/IP combination work - if I understand your question
properly? I even see no need for anything like that. If users have
static IPs, then you have already the tcp wrapper to handle that, or
iptables. If the IPs are dynamically assigned, such an attempt is
pointless. What you can do is to use portknocking. This has been
suggested and discussed controversial recently here on the list. See
i.e.

http://marc.theaimsgroup.com/?l=fedora-list&w=2&r=1&s=portknocking&q=b

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp 
Serendipity 16:58:56 up 12:10, 16 users, 0.12, 0.40, 0.50 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041014/19aec6e0/attachment-0001.sig>


More information about the fedora-list mailing list