The App Servers allow root access from "Mngt Server" but deny root access from everywhere else. - The App Servers allow AppUserX access from App* Server and "Mngt Server" but deny access from everywhere else. - The administrators can connect to the servers from anywhere but not as the AppUserX or root I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config files. I have also tried ~/.ssh/config to no avail. As I am pretty much fumbling in the dark I may have been close to a solution and not realised it but I simply can't seem to get user level access restrictions to work. ################################################################# Michael What options did you use for AllowUsers in sshd_config? >From my experience, these should work Imran -----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Michael Sent: 26 March 2010 06:19 To: secureshell@xxxxxxxxxxxxxxxxx Subject: Restricting SSH access per user to specific sources Hi My first request so please excuse any etiquette faux pax. I have been searching for a solution for a few weeks now and managed to find one or two server wide examples & discussions but not any for user specific restrictions. Firstly, the setup : Running AIX 5300-10-01 and 6100-03-01 servers with OpenSSH version 5.0.0.5302 (latest version for AIX I am aware of). There are also a few linux boxes, mostly redhat and Ubuntu. We have a central management server running AIX 6100-03-01 which runs distributed shell commands (dsh - essentially SSH's to all servers and runs the specific command) but for this to work root ssh needs to be enabled. I also have a number of application users that need to be able to SSH/SCP/SFTP between servers. For security reasons I need to only allow root ssh from the management server only. For audit purposes I need to ensure that application UserID's will only accept connections from specific hosts. All this needs to be done without impacting where the administrators can connect from so it needs to be user specific. As TCP Wrapper is not used on the AIX servers that is currently not an option and the configuration needs to go through the various OpenSSH configs. Example : Mngt Server App1 Server App2 Server App3 Server - The App Servers allow root access from "Mngt Server" but deny root access from everywhere else. - The App Servers allow AppUserX access from App* Server and "Mngt Server" but deny access from everywhere else. - The administrators can connect to the servers from anywhere but not as the AppUserX or root I have tried the global /etc/ssh/ssh_config and /etc/ssh/sshd_config files. I have also tried ~/.ssh/config to no avail. As I am pretty much fumbling in the dark I may have been close to a solution and not realised it but I simply can't seem to get user level access restrictions to work. I would appreciate any help! R e g a r d s M i c h a e l L G r i f f i n Please consider the environment before printing this email He who play in root, eventually kill tree. ***************************************************** This email is issued by a VocaLink group company. It is confidential and intended for the exclusive use of the addressee only. You should not disclose its contents to any other person. If you are not the addressee (or responsible for delivery of the message to the addressee), please notify the originator immediately by return message and destroy the original message. The contents of this email will have no contractual effect unless it is otherwise agreed between a specific VocaLink group company and the recipient. The VocaLink group companies include, among others: VocaLink Limited (Company No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Three Rivers Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87) which is registered in England and Wales at registered office Arundel House, 1 Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in England and Wales at registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United Kingdom. The views and opinions expressed in this email may not reflect those of any member of the VocaLink group. This message and any attachments have been scanned for viruses prior to leaving the VocaLink group network; however, VocaLink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. The VocaLink group may monitor emails sent to and from the VocaLink group network. This message has been checked for all email viruses by MessageLabs. *************************************************************