Allow some users from certain IP access to openssh on AIX.

CSIA AN
CSIA AN used Ask the Experts™
on
Hi,

We want to allow access to OPenssh to user1, user2 and user3 but ONLY from these IPs:

user1@IP1
user2@IP1
user3@IP2

So access from user1@*, user2@*, user3@*  (any other IP) must be denied.

And all other users/groups can access the system via SSH.

Which do you think is thepossible  combination of:

AllowUsers
AllowGroups
DenyUsers
DenyGroups

inside /etc/ssh/sshd_config file?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2013
Top Expert 2013
Commented:
Hi Israel,

I think sshd_config's allow/deny stuff cannot do that, unless you were willing to add all your users to the AllowUsers stanza.

But if you have access to the authorized_keys file(s) of the target user(s) you can add a from=.. statement
to the public key entry/entries pertaining to the source user(s).

Example:

from="IP1" ssh-rsa AAAAB2...............19Q== user1@hisdomain.tld

You can also use patterns, and there are more options which can be placed into the authorized_keys file.

I think you should read the "authorized_keys File Format" section in the sshd manpage and experiment a bit.
I once had some success using the "command=..." feature which automatically starts the given command
for the respective user and ignores everything else, but I admit I never used "from=..."

Author

Commented:
Hi,

I'll take a look to "authorized_keys File Format", but I think it's not what customer wants. At first glance, it seems not to be a solution inside sshd_config file? I have tried with sshd_config but not success.
Let me check "authorized_keys File Format"
Thanks.
Most Valuable Expert 2013
Top Expert 2013
Commented:
No, it's not a solution inside sshd_config.

You could do it via sshd_config and its AllowUsers facility, but then you would have to add all users to that stanza,
user1/2/3 along with their IPs, all other users wildcarded or without IP.

Author

Commented:
OK.. I'll take a look at ssh keys.

Thanks again wmp..

Have a good day!
Most Valuable Expert 2013
Top Expert 2013

Commented:
Thx for the points and have a good day, too!

wmp

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial