1

I need to restrict connections to an openssh server to only three or four IP addresses. I know I can, on the CentOS 7 and Oracle Linux boxes, use firewalld or TCP wrappers. However, some of the servers on the network do not support firewalld or have a build of openssh that doesn't include libwrap.so. Those need an ssh solution.

I've tried different variations such as these but, so far, I either get locked out completely or anyone can get in.

Match Address !10.222.79.74,!10.222.79.75,!172.23.10.22,!10.217.184.58
  DenyUsers *@*

DenyUsers *@*

Match Address 10.222.79.74,10.222.79.75,172.23.10.22,10.217.184.58
  AllowUsers *@*

Is there a way to do this?

OK, I am officially a DA.

I set the log level to debug and, from looking at the most recent login, I realized I was testing from one of the IPs on the allowed list. I tried it from a different client and the following works as expected.

Match Host *,!10.222.79.74,!10.222.79.75,!172.23.10.22,!10.217.184.58
  DenyUsers *

Apologies for wasting your time.

scarville
  • 51
  • 5
  • Have you tried `Match` rules with a leading wildcard as described here: https://serverfault.com/a/408396/75874 ? – sborsky Aug 24 '21 at 19:54

1 Answers1

1

According to sshd_config man page (OpenSSH_8.0p1):

For each keyword, the first obtained value will be used.

So I guess the first example looks like the correct one.

Please note: I have strong feeling this changed recently (from the LAST value to be used) so please check your man pages. And (as I just checked it) it doesn't look like it is working as described so you may have to experiment.

Tomek
  • 2,950
  • 1
  • 15
  • 9
  • 1
    Read under 'Match'; the first occurrence in a satisfied Match block overrides the (first) value (if any) in the global section i.e. before the first Match. – dave_thompson_085 Aug 25 '21 at 01:08