On Thu, 27 May 2004 at 8:05am (-0400), Reuben D. Budiardja wrote: > > Hello, > I am wondering if someone can help me on how to achieve the following. > > 1. I use tcp wrapper with SSH (/etc/hosts.allow & hosts.deny). I have policy > for our server that only access from my domain (.utk.edu domain) is allowed. > But we also have several exceptions for people who is outside this domain, so > I add that domain to /etc/hosts.allow. What I really want though, is If I can > restrict that only certain username can SSH to the server from this remote > domain. So for example, if I add .comcast.net domain to /etc/hosts.allow, I > want to restrict it further to: "only username 'the-boss' can SSH to this > machine from comcast.net". Is there any way to do that at all ? Adding... account required /lib/security/pam_access.so ... to your /etc/pam.d/sshd file and then editing /etc/security/access.conf will allow you to do that sort of thing. You'll have to read up on the exact syntax of the access.conf file.. it's been a while since I've played with it but something like... -:ALL except the-boss:.comcast.net > 2. Public-key login: I want to disable public-key login, and I know how to do > that. However, there are certain cases where we want to allow public-key > login, eg. for automated backup, running parallel jobs in beowulf cluster. So > I am wondering if there's a way to disable public-key login in general, but > allow public-key login from a very restrictive set of IP, eg: disable > public-key login, except from IP 10.0.0.0/250 (local network) Sadly no. I would like very much to be able to do something like this... to say that public key can only be used to login if it's a restricted key with a forced command= statement. M. -- WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company Level 5, 100 Wickham St. Network Operations - Senior Systems Eng PO Box 930, Fortitude Valley. phone: +61 7 3230 7371 Queensland, Australia 4006. pgp key id: 0x900E515F -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
