Finer grain control of SSH access
Reuben D. Budiardja
techlist at voyager.phys.utk.edu
Thu May 27 12:05:59 UTC 2004
Hello,
I am wondering if someone can help me on how to achieve the following.
1. I use tcp wrapper with SSH (/etc/hosts.allow & hosts.deny). I have policy
for our server that only access from my domain (.utk.edu domain) is allowed.
But we also have several exceptions for people who is outside this domain, so
I add that domain to /etc/hosts.allow. What I really want though, is If I can
restrict that only certain username can SSH to the server from this remote
domain. So for example, if I add .comcast.net domain to /etc/hosts.allow, I
want to restrict it further to: "only username 'the-boss' can SSH to this
machine from comcast.net". Is there any way to do that at all ?
2. Public-key login: I want to disable public-key login, and I know how to do
that. However, there are certain cases where we want to allow public-key
login, eg. for automated backup, running parallel jobs in beowulf cluster. So
I am wondering if there's a way to disable public-key login in general, but
allow public-key login from a very restrictive set of IP, eg: disable
public-key login, except from IP 10.0.0.0/250 (local network)
Any help on how to do any of those would be greatly appreciated.
Thanks in advance.
RDB
--
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
---------------------------------------------------------
"To be a nemesis, you have to actively try to destroy
something, don't you? Really, I'm not out to destroy
Microsoft. That will just be a completely unintentional
side effect."
- Linus Torvalds -
More information about the redhat-list
mailing list