Ssh – Restrict SSH login from a specific user to a specific IP address

ssh

I'd like to restrict SSH logins for a specific FreeBSD user account to a specific IP address (they're automated rsync backups from one machine to another, no actual user should ever be logging in, just the SSH+rsync process).

I feel like I should be able to do this using either hosts.allow or sshd_config… but I can't find any clear-cut example for how to do this. Can anyone tell me?

Best Answer

In addition to the wrappers option....I imagine this rsync backup is making use of an ssh key. You can restrict a key to a specific source IP or domain. This would be equivalent to a user-to-IP restriction since only that user is making use of that key (if your smart, which you appear).

First line of authorized_keys file:

from="trusted.domain.com",no-port-forwarding,no-pty ssh-rsa AAAABasdf

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Ssh – Mercurial: How to setup hg-ssh with user/pass

You must use SSH keys if you want to use hg-ssh — the restricted shell is only triggered when you log in with a SSH key. Read the header in hg-ssh for instructions on how to set it up:

To be used in ~/.ssh/authorized_keys with the command option, see sshd(8):
command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...
(probably together with these other useful options: no-port-forwarding, no-X11-forwarding, no-agent-forwarding)

This allows pull/push over SSH from/to the repositories given as arguments. If all your repositories are subdirectories of a common directory, you can allow shorter paths with:
command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"
You can use pattern matching of your normal shell, e.g.:
command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}" 

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Ssh – Mercurial: How to setup hg-ssh with user/pass

Related Topic