[TriLUG] limiting ssh

Kevin Hunter khunter at rhoworld.com
Thu Jan 24 17:30:26 EST 2002


I went w/ the following advice:

1) Copy /etc/security/access.conf to /etc/security/sshd_access.conf

2) Modify /etc/security/sshd_access.conf to taste.
For the mail server at work, where a lot of people have accounts but
I don't want the riffraff to get shell access:

+:adminuser1:ALL
+:adminuser2:ALL
-:ALL:ALL

3) Add to /etc/pam.d/sshd:
account  required  /lib/security/pam_access.so
accessfile=/etc/security/sshd_access.conf

However, what would be great is if I could define a user to just get
in from our local 10.x.x.x network which is natd'd off a freebsd box
that's also connected to the dmz my web server sits on.  I just can't
get the syntax right.  I've tried a bunch of different variations.
If someone has done this, please let me know.

# sshd_access.conf
+:wheel:ALL
+:user:10.x.x.0.   ???
-:ALL:ALL






More information about the TriLUG mailing list