Ssh: allow all users for one IP, and restrict to one user for public IP

authorizationssh

I have a server on a VPN. This server has a public address and has a gitlab instance on it.
I'd like to be able to connect with any ssh user from the VPN address, but restrict the access to the git user from the public address.

How can I achieve both things at the same time?

I'm already restricting access like this:

# Listen on localhost
ListenAddress 127.0.0.1
# Listen on public address
ListenAddress 1.2.3.4
# Listen on the VPN address
ListenAddress 5.6.7.8

I'm on an Ubuntu server system, using openssh version 1:5.9p1-5ubuntu1

Best Answer

You should be able to achieve this using Match blocks ( localAddress)with additional AllowUsers/DenyUsers filtering in your sshd_config file, like this (assuming 1.2.3.4 is your public address):

Match LocalAddress 1.2.3.4
    AllowUsers git

Related Solutions

Ssh – How to set public SSH key for root user on server

I'm not sure what you mean. You mean you can't login as root with your public_key? If so check /root/.ssh/authorized_keys

Have also look at /etc/ssh/sshd_config It should contain:

PermitRootLogin yes

Ssh – Allow users to ssh to specific user through ldap and stored public keys

The author of gitolite has added some features that help support external key stores and group membership information. Search the CHANGELOG for LDAP.

To use an external key store your sshd needs to support the usual .ssh/authorized_keys file (this is the file that tells sshd to run gl-auth-command when a gitolite user logs in).

Turn off the normal authkey generation (the one based on the keydir in the gitolite-admin repository):
$GL_NO_SETUP_AUTHKEYS = 0; in your .gitolite.rc.
Periodically (any time a key is changed, a user is added, etc.):
1. Extract all the SSH keys from your key store into some convenient, temporary directory (use the same names for key files as if they were in the normal repository-based keydir).
2. Run gl-setup-authkeys to have gitolite rebuild its part of the authorized_keys file.

See the commit message that introduced gl-setup-authkeys for the author’s own description.

Using externally defined user groups is a bit trickier since it usually involves interposing another program between sshd and gl-auth-command (the group memberships are passed as extra arguments to gl-auth-command). See “usergroups and LDAP/similar tools”.

Best Answer

Related Solutions

Ssh – How to set public SSH key for root user on server

Ssh – Allow users to ssh to specific user through ldap and stored public keys

Related Topic