SSH AllowUsers from particular network

ssh

How to allow only certain users to login to an SSH server from a particular network interface?

e.g.

  • eth0 is "outside", eth1 is "inside".
  • user1 is trusted to login from anywhere
  • user2 is only allowed to login from "inside"

Can't use AllowUsers user1@eth0 because AllowUsers takes a hostname not an interface name.

Other answers on this site suggest something like:

Match address 1.2.3.4/16 # eth0's network
   AllowUsers user1
Match address 2.3.4.5/16 # eth1's network
   AllowUsers user1,user2
Match address 0.0.0.0/0  # Match's equivalent of a closing brace?

However if eth0 is using a DHCP server to get its address, then it doesn't know in advance that 1.2.3.4 is the right address to put in sshd_config.

(OpenSSH on Ubuntu 12.04 if that makes a difference)


I don't know how to do this in a Match block, and your comment above suggests it's not possible (as does, as you note, the man page).

But if you're sure that you want to do the user restriction by interface - which your questions says you do - you could run two sshds, each having a different sshd_config which directs it to listen on one interface only, controlled by the ListenAddress directive.

The sshd listening on the internal interface could in its config have AllowUsers user1 user2, while that listening on the external interface could have AllowUsers user1. I'd probably do it by group membership and have AllowGroups internal / AllowGroups internal external instead, but that's just me.

Edit: imo, the right way to do this is to run /usr/sbin/sshd -f /etc/ssh/sshd_config_inside and /usr/sbin/sshd -f /etc/ssh/sshd_config_outside. Arranging how this works at boot time, and ensuring that your service startup/shutdown files do the right thing, is indeed important, but it is also a perfectly normal thing for a sysadmin to need to do, and to do. It is definitely not necessary to have two binaries, or even the same binary by two different names, to do this.


I know this is an old question but I was looking for a solution without having to start 2 instances of sshd.

Referring to your specific question and the 1.2.3.4/16 subnet and the 2.3.4.5/16 subnet, you could use the following:

AllowUsers [email protected].* [email protected].* [email protected].*

Reference: http://www.unixlore.net/articles/five-minutes-to-even-more-secure-ssh.html

For my network, I use the following to allow user chris to ssh from anywhere but only allow user1, user2 and user3 to ssh on my internal network (192.168.0.0/24):

AllowUsers chris [email protected].* [email protected].* [email protected].*

Version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 on Ubuntu 14.04.3 LTS


Match address 1.2.3.4/16 is invalid, must be Match address 1.2.0.0/16. The network addresses of the interfaces don't change, do they? So it doesn't matter what IP you get.

Another option may be (I have no personal experience with that) to create two virtual interfaces with a static address, have two sshd instances, each bound to one of these addresses only and make DNAT from the DHCP interface to the virtual one.

Related

Amazon EC2 t2.micro AMI taking time to execute commands
I accidentally deleted /var/log/syslog, Now rsyslog Won't Log anything
How can I have a web site automatically open up at a certain time each day [closed]
Would you recommend Windows Vista? [closed]
Is there a visual bell in Linux that works in X?
How is the filesystem of Wikipedia designed?
writing LTO-3 tapes with a LTO-4 drive
Optimum way to serve 70,000 static files (jpg)?
Hardware alternative to PfSense software Firewall/Router [closed]
Running Subversion post-commit hook as a background process
List of tools you install on your debian/red-hat server [closed]
Why do partially failed/failing switches fail to pass DHCP?