SSH AllowUsers from particular network
How to allow only certain users to login to an SSH server from a particular network interface?
e.g.
- eth0 is "outside", eth1 is "inside".
- user1 is trusted to login from anywhere
- user2 is only allowed to login from "inside"
Can't use AllowUsers user1@eth0
because AllowUsers takes a hostname not an interface name.
Other answers on this site suggest something like:
Match address 1.2.3.4/16 # eth0's network
AllowUsers user1
Match address 2.3.4.5/16 # eth1's network
AllowUsers user1,user2
Match address 0.0.0.0/0 # Match's equivalent of a closing brace?
However if eth0 is using a DHCP server to get its address, then it doesn't know in advance that 1.2.3.4 is the right address to put in sshd_config.
(OpenSSH on Ubuntu 12.04 if that makes a difference)
I don't know how to do this in a Match
block, and your comment above suggests it's not possible (as does, as you note, the man
page).
But if you're sure that you want to do the user restriction by interface - which your questions says you do - you could run two sshd
s, each having a different sshd_config
which directs it to listen on one interface only, controlled by the ListenAddress
directive.
The sshd
listening on the internal interface could in its config have AllowUsers user1 user2
, while that listening on the external interface could have AllowUsers user1
. I'd probably do it by group membership and have AllowGroups internal
/ AllowGroups internal external
instead, but that's just me.
Edit: imo, the right way to do this is to run /usr/sbin/sshd -f /etc/ssh/sshd_config_inside
and /usr/sbin/sshd -f /etc/ssh/sshd_config_outside
. Arranging how this works at boot time, and ensuring that your service startup/shutdown files do the right thing, is indeed important, but it is also a perfectly normal thing for a sysadmin to need to do, and to do. It is definitely not necessary to have two binaries, or even the same binary by two different names, to do this.
I know this is an old question but I was looking for a solution without having to start 2 instances of sshd.
Referring to your specific question and the 1.2.3.4/16 subnet and the 2.3.4.5/16 subnet, you could use the following:
AllowUsers [email protected].* [email protected].* [email protected].*
Reference: http://www.unixlore.net/articles/five-minutes-to-even-more-secure-ssh.html
For my network, I use the following to allow user chris to ssh from anywhere but only allow user1, user2 and user3 to ssh on my internal network (192.168.0.0/24):
AllowUsers chris [email protected].* [email protected].* [email protected].*
Version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 on Ubuntu 14.04.3 LTS
Match address 1.2.3.4/16
is invalid, must be Match address 1.2.0.0/16
. The network addresses of the interfaces don't change, do they? So it doesn't matter what IP you get.
Another option may be (I have no personal experience with that) to create two virtual interfaces with a static address, have two sshd instances, each bound to one of these addresses only and make DNAT from the DHCP interface to the virtual one.