On Tue, 24 Feb 2015, Christoph Anton Mitterer wrote: > Hey. > > Perhaps someone can help me with the following (OpenSSH 6.7): > > I have a host reachable via miscellaneous interfaces (and network > addresses) running SSH. > > Some specific users should be only reachable from the inside, so e.g. > though something like this would do the job in sshd_config: > > #general config > #... > > Match User foo LocalAddress 10.0.0.1,fe80:abba::0 > PasswordAuthentication no > KbdInteractiveAuthentication no > RhostsRSAAuthentication no > HostbasedAuthentication no > KerberosAuthentication no > GSSAPIAuthentication no > RSAAuthentication no > PubkeyAuthentication yes > > Match User foo LocalAddress !10.0.0.1,!fe80:abba::0 with HEAD you can do: Match user foo !localaddress 10.0.0.1... otherwise you need to have at least one matching term in the predicate, e.g. Match User foo LocalAddress *,!10.0.0.1,!fe80:abba::0 > But apparently it never goes into the negative matching block :-( > > Also, it seems that hostnames can generally not be used with > LocalAddress,.. is this expected? Cause that would be kinda nice. Yes, it's expected - we don't do DNS lookups there. I don't think we want to either. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev