Limit ssh to local network, except for the git user

I have an Ubuntu 12.04 server set up with Gitlab and OpenVPN to serve as a git and vpn server for us.

Currently I have opened up port 1194 in the firewall to open for OpenVPN and let users authenticate by a rsa certificate and a google auth key.

I have not opened the firewall up for SSH traffic yet, as I do not want SSH fully exposed to WAN. However we need to be able to push and pull without being connected to vpn.

How can open the ssh access to WAN only for the limited git user, while allowing admins to access the server from the LAN?

I suspect that I should be looking for something in the direction of using match groups in the sshd_config file. As seen in this question: "How can I setup OpenSSH per-user authentication methods?", does anybody have experience with this?


Edit:

I initially accepted the answer of using access.conf to limit the login access. But later answers indicate that the same can be achieved in sshd.conf either by a match directive or using the username@hostaddress syntax.

At first thought I find it more intuitive to put this in sshd, and it will probably be easier to maintain and understand for other administrators. Are there any strong advantages to using access.conf over sshd.conf?

If I were to range the options mentioned here on how intuitive they are I would say: 1. sshd.conf 2. access.conf 3. IpTables

Do you agree?


You can control where users are allowed to log in from using the AllowGroups, AllowUsers, DenyGroups, and DenyUsers directives in sshd_config. They are processed in the order DenyUsers, AllowUsers, DenyGroups, AllowGroups. AllowUsers can include the host as well as the username; I think the others just allow names.

Let's say your

  • LAN is 192.168.1.0/24
  • git user is named git
  • admins users are named alice and bob

In sshd_config you would say

AllowUsers [email protected]/24 [email protected]/24 git

Alternately, you could do this with the Match directive. The match directive lets you alter sshd's behavior based on conditions, such as the address from which a user is connecting.

In the global part of the sshd_config you would have

AllowUsers git

the at the end of the file you would override this for your LAN with

Match Address 192.168.1.0/24
    AllowUsers alice bob git

You're looking for pam_access, with it you can configure sshd to accept authentication for all users from the local network and for the git user from anywhere.

Something like:

+ : ALL : 10. crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : git : ALL
- : ALL : ALL

in your access.conf should do the trick