I have an Ubuntu 12.04 server set up with Gitlab and OpenVPN to serve as a git and vpn server for us.
Currently I have opened up port 1194 in the firewall to open for OpenVPN and let users authenticate by a rsa certificate and a google auth key.
I have not opened the firewall up for SSH traffic yet, as I do not want SSH fully exposed to WAN. However we need to be able to push and pull without being connected to vpn.
How can open the ssh access to WAN only for the limited git user, while allowing admins to access the server from the LAN?
I suspect that I should be looking for something in the direction of using match groups in the sshd_config file. As seen in this question:
"How can I setup OpenSSH per-user authentication methods?", does anybody have experience with this?
Edit:
I initially accepted the answer of using access.conf to limit the login access. But later answers indicate that the same can be achieved in sshd.conf either by a match directive or using the username@hostaddress syntax.
At first thought I find it more intuitive to put this in sshd, and it will probably be easier to maintain and understand for other administrators. Are there any strong advantages to using access.conf over sshd.conf?
If I were to range the options mentioned here on how intuitive they are I would say:
1. sshd.conf
2. access.conf
3. IpTables
Do you agree?
Best Answer
You can control where users are allowed to log in from using the AllowGroups, AllowUsers, DenyGroups, and DenyUsers directives in sshd_config. They are processed in the order DenyUsers, AllowUsers, DenyGroups, AllowGroups. AllowUsers can include the host as well as the username; I think the others just allow names.
Let's say your
In sshd_config you would say
Alternately, you could do this with the Match directive. The match directive lets you alter sshd's behavior based on conditions, such as the address from which a user is connecting.
In the global part of the sshd_config you would have
the at the end of the file you would override this for your LAN with