Re: Finer grain control of SSH access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 27 May 2004 at 8:05am (-0400), Reuben D. Budiardja wrote:

> 
> Hello,
> I am wondering if someone can help me on how to achieve the following.
> 
> 1. I use tcp wrapper with SSH (/etc/hosts.allow & hosts.deny). I have policy 
> for our server that only access from my domain (.utk.edu domain) is allowed. 
> But we also have several exceptions for people who is outside this domain, so 
> I add that domain to /etc/hosts.allow. What I really want though, is If I can 
> restrict that only certain username can SSH to the server from this remote 
> domain. So for example, if I add .comcast.net domain to /etc/hosts.allow, I 
> want to restrict it further to: "only username 'the-boss' can SSH to this 
> machine from comcast.net". Is there any way to do that at all ?

Adding...

account  required  /lib/security/pam_access.so

... to your /etc/pam.d/sshd file and then editing /etc/security/access.conf 
will allow you to do that sort of thing.  You'll have to read up on the 
exact syntax of the access.conf file.. it's been a while since I've played 
with it but something like...

-:ALL except the-boss:.comcast.net

> 2. Public-key login: I want to disable public-key login, and I know how to do 
> that. However, there are certain cases where we want to allow public-key 
> login, eg. for automated backup, running parallel jobs in beowulf cluster. So 
> I am wondering if there's a way to disable public-key login in general, but 
> allow public-key login from a very restrictive set of IP, eg: disable 
> public-key login, except from IP 10.0.0.0/250 (local network)

Sadly no.  I would like very much to be able to do something like this... to 
say that public key can only be used to login if it's a restricted key with 
a forced command= statement.

M.

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 5, 100 Wickham St.         Network Operations - Senior Systems Eng
PO Box 930, Fortitude Valley.                     phone: +61 7 3230 7371
Queensland, Australia 4006.                       pgp key id: 0x900E515F




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux