sminfo
asked on
Allow userok@ip_good, Deny userok@any_other_ip and Allow *@*
Is it possible? I'm running sshd on Aix6.1
Scenario:
ALLOW only access from: userok@ip_good
DENY access from userok@*
and
ALLOW acces from *@*
Thanks
Scenario:
ALLOW only access from: userok@ip_good
DENY access from userok@*
and
ALLOW acces from *@*
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think we understood your question and we answered it: No, it is not possible to achieve what you desire.
You are trying to combine two separate functions into working in tandem.
I.e. TCP based access list (tcp_wrappers) allows access control to SSHD.
You can use the hosts.allow and hosts.deny to deny sshd:all and in the hosts.allow add the SSHD: IPrange, ips, etc. that you want to allow.
The SSH level restriction for user and group access will handle that side using AllowGroups, AllowUsers, DenyGroups, DenyUsers will process the deny first.
The problem is you seemingly want to limit access of a specific user to a specific IP.
An option you could have is to replace the shell configured for userok.
instead of /bin/bash, you could have an intermediary shell which is a script that will check whether the user is connecting from ip_good by checking the SSH_client env source. If it is, the script runs bash. If it is not, the script exits which will terminate the ssh session.
You would need to add this overlay/wrapper script on every system as well as modify the userok /etc/passwd entry if it is not centrally managed using NIS, NIS+, LDAP, etc.
I.e. TCP based access list (tcp_wrappers) allows access control to SSHD.
You can use the hosts.allow and hosts.deny to deny sshd:all and in the hosts.allow add the SSHD: IPrange, ips, etc. that you want to allow.
The SSH level restriction for user and group access will handle that side using AllowGroups, AllowUsers, DenyGroups, DenyUsers will process the deny first.
The problem is you seemingly want to limit access of a specific user to a specific IP.
An option you could have is to replace the shell configured for userok.
instead of /bin/bash, you could have an intermediary shell which is a script that will check whether the user is connecting from ip_good by checking the SSH_client env source. If it is, the script runs bash. If it is not, the script exits which will terminate the ssh session.
You would need to add this overlay/wrapper script on every system as well as modify the userok /etc/passwd entry if it is not centrally managed using NIS, NIS+, LDAP, etc.
ASKER
The fact is I have a user 'userok' who uses to connect all my servers and run certain commands via sshd. I want to block access in my servers from userok@* but let only access to sshd to userok@ip_good. :-)
Am I asking too much? I've searched a lot but can find a solution to make this possible.