Finer grain control of SSH access
Ed Wilts
ewilts at ewilts.org
Thu May 27 13:44:32 UTC 2004
On Thu, May 27, 2004 at 08:05:59AM -0400, Reuben D. Budiardja wrote:
>
> 1. I use tcp wrapper with SSH (/etc/hosts.allow & hosts.deny). I have policy
> for our server that only access from my domain (.utk.edu domain) is allowed.
> But we also have several exceptions for people who is outside this domain, so
> I add that domain to /etc/hosts.allow. What I really want though, is If I can
> restrict that only certain username can SSH to the server from this remote
> domain. So for example, if I add .comcast.net domain to /etc/hosts.allow, I
> want to restrict it further to: "only username 'the-boss' can SSH to this
> machine from comcast.net". Is there any way to do that at all ?
man sshd_config. Look at AllowGroups and AllowUsers.
Those entries aren't in the template sshd_config file but they're
available to be added manually. This will allow 'the-boss' to ssh in,
but s/he can come in from anywhere.
You could also do this in a pam policy with the pam_listfile module.
> 2. Public-key login: I want to disable public-key login, and I know how to do
> that.
That's the PubkeyAuthentication parameter.
> However, there are certain cases where we want to allow public-key
> login,
It's either on or off. Maybe isn't one of the choices :-)
> Any help on how to do any of those would be greatly appreciated.
I hope I've got you closer...
.../Ed
--
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program
More information about the redhat-list
mailing list