How to allow only certain users to login to an SSH server from a particular network interface?
e.g.
- eth0 is "outside", eth1 is "inside".
- user1 is trusted to login from anywhere
- user2 is only allowed to login from "inside"
Can't use AllowUsers user1@eth0
because AllowUsers takes a hostname not an interface name.
Other answers on this site suggest something like:
Match address 1.2.3.4/16 # eth0's network
AllowUsers user1
Match address 2.3.4.5/16 # eth1's network
AllowUsers user1,user2
Match address 0.0.0.0/0 # Match's equivalent of a closing brace?
However if eth0 is using a DHCP server to get its address, then it doesn't know in advance that 1.2.3.4 is the right address to put in sshd_config.
(OpenSSH on Ubuntu 12.04 if that makes a difference)
Best Answer
I don't know how to do this in a
Match
block, and your comment above suggests it's not possible (as does, as you note, theman
page).But if you're sure that you want to do the user restriction by interface - which your questions says you do - you could run two
sshd
s, each having a differentsshd_config
which directs it to listen on one interface only, controlled by theListenAddress
directive.The
sshd
listening on the internal interface could in its config haveAllowUsers user1 user2
, while that listening on the external interface could haveAllowUsers user1
. I'd probably do it by group membership and haveAllowGroups internal
/AllowGroups internal external
instead, but that's just me.Edit: imo, the right way to do this is to run
/usr/sbin/sshd -f /etc/ssh/sshd_config_inside
and/usr/sbin/sshd -f /etc/ssh/sshd_config_outside
. Arranging how this works at boot time, and ensuring that your service startup/shutdown files do the right thing, is indeed important, but it is also a perfectly normal thing for a sysadmin to need to do, and to do. It is definitely not necessary to have two binaries, or even the same binary by two different names, to do this.