On 27/11/01, martin f krafft wrote: > * op <[EMAIL PROTECTED]> [2001.11.27 10:23:57+0100]: > > I specify the users in /ets/ssh/sshd_config who are allowed to connect via > > ssh. But I'd like some more control. I'd like to control which subnets user x > > can connect from. Some should be allowed to connect from anywhere but some > > should only be able to conect from the local network. > > nope, this isn't possible with the current sshd. an interesting > feature though... > > you could write a custom shell that checks the IP after login and only > spawns a shell when it's from an OK subnet...
| AllowUsers
| This keyword can be followed by a list of user names, separated
| by spaces. If specified, login is allowed only for users names
| that match one of the patterns. `*' and `'? can be used as
| wildcards in the patterns. Only user names are valid; a numeri
| cal user ID is not recognized. By default login is allowed
| regardless of the user name. If the pattern takes the form
| USER@HOST then USER and HOST are separately checked, restricting
| logins to particular users from particular hosts.
Well, this option for the sshd is at least available in the latest cvs
of OpenSSH and is as far as I remember also availale in in the latest
official release (3.0p1). So at least it's possible to restrict a user
to come from a certain host. But I'm thinking it won't work with Subnets
or Host-Patterns so far. And I'm not really sure if it's that easy to
extend the functionality of this option to subnets.
Christian
--
Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
msg04400/pgp00000.pgp
Description: PGP signature
