I would likely restrict access to ssh from external, if at all possible. I realize that this isn't always possible but it should be possible to at least narrow down access to certain IP ranges.
For this particular problem I'm assuming there are two NICs in the computer, one with an IP in private space and the other with a public address? One idea is to bind two SSH daemons, one for each NIC. Place no AllowGroups restriction on the internal SSH daemon. This means that all users can connect internally. On the SSH daemon bound externally place the AllowGroups restriction to restrict access to members of that group. If there's only one NIC in the computer then you could still use two SSH daemons, just bind them to different ports. The internal port might be the standard tcp/22 whereas externally you would bind tcp/2222 or something. Then firewall off the access to port 22 from externally so that the internal-use daemon can't be accessed. Hope that helps. I'm sure others will have ideas too. Steve On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote: > I have an server running sshd on Sarge. I want all users to be able to > access the computer from within the internal network - but restrict > access from the internet (to users in a particular group). Can this be > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and > the AllowGroup (or AllowUsers) options in sshd configuration file. > > If so, how ? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]