Finer grain control of SSH access
Matthew Melvin
matthewm at webcentral.com.au
Fri May 28 02:13:16 UTC 2004
On Thu, 27 May 2004 at 8:05am (-0400), Reuben D. Budiardja wrote:
>
> Hello,
> I am wondering if someone can help me on how to achieve the following.
>
> 1. I use tcp wrapper with SSH (/etc/hosts.allow & hosts.deny). I have policy
> for our server that only access from my domain (.utk.edu domain) is allowed.
> But we also have several exceptions for people who is outside this domain, so
> I add that domain to /etc/hosts.allow. What I really want though, is If I can
> restrict that only certain username can SSH to the server from this remote
> domain. So for example, if I add .comcast.net domain to /etc/hosts.allow, I
> want to restrict it further to: "only username 'the-boss' can SSH to this
> machine from comcast.net". Is there any way to do that at all ?
Adding...
account required /lib/security/pam_access.so
... to your /etc/pam.d/sshd file and then editing /etc/security/access.conf
will allow you to do that sort of thing. You'll have to read up on the
exact syntax of the access.conf file.. it's been a while since I've played
with it but something like...
-:ALL except the-boss:.comcast.net
> 2. Public-key login: I want to disable public-key login, and I know how to do
> that. However, there are certain cases where we want to allow public-key
> login, eg. for automated backup, running parallel jobs in beowulf cluster. So
> I am wondering if there's a way to disable public-key login in general, but
> allow public-key login from a very restrictive set of IP, eg: disable
> public-key login, except from IP 10.0.0.0/250 (local network)
Sadly no. I would like very much to be able to do something like this... to
say that public key can only be used to login if it's a restricted key with
a forced command= statement.
M.
--
WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company
Level 5, 100 Wickham St. Network Operations - Senior Systems Eng
PO Box 930, Fortitude Valley. phone: +61 7 3230 7371
Queensland, Australia 4006. pgp key id: 0x900E515F
More information about the redhat-list
mailing list