2

I have a server on a VPN. This server has a public address and has a gitlab instance on it. I'd like to be able to connect with any ssh user from the VPN address, but restrict the access to the git user from the public address.

How can I achieve both things at the same time?

I'm already restricting access like this:

# Listen on localhost
ListenAddress 127.0.0.1
# Listen on public address
ListenAddress 1.2.3.4
# Listen on the VPN address
ListenAddress 5.6.7.8

I'm on an Ubuntu server system, using openssh version 1:5.9p1-5ubuntu1

greg0ire
  • 316
  • 1
  • 6
  • 26

2 Answers2

4

You should be able to achieve this using Match blocks ( localAddress)with additional AllowUsers/DenyUsers filtering in your sshd_config file, like this (assuming 1.2.3.4 is your public address):

Match LocalAddress 1.2.3.4
    AllowUsers git
greg0ire
  • 316
  • 1
  • 6
  • 26
user9517
  • 114,104
  • 20
  • 206
  • 289
  • Bah, I was half way through a convoluted answer about `authorized_keys` and `from=`. This is much better. – SmallClanger Apr 25 '13 at 08:53
  • I can't get this to work. Access is denied for all users with this configuration. Is there something wrong with the syntax? – greg0ire Apr 25 '13 at 09:03
  • I tried prepending this with `AllowUsers *`, without success. – greg0ire Apr 25 '13 at 09:08
  • `AllowUsers *` or `AllowUsers git` alone do what they are expected to do. Adding the `Match` block makes ssh deny everything for every IP. – greg0ire Apr 25 '13 at 09:20
  • I'm using `ListenAddress` directives and noticed with netstat that sshd does not listen on anything as soon as I add the Match block. Is there an incompatibility? – greg0ire Apr 25 '13 at 09:36
  • As soon as I add a `Match` block, ssh doesn't restart properly, and `service ssh status` displays "ssh stop/waiting". Any pointers? – greg0ire Apr 25 '13 at 12:16
  • `sshd -t` displays "Unsupported Match attribute LocalAddress" I guess I'm going to try filtering on the client's address – greg0ire Apr 25 '13 at 12:20
1

I ended up using AllowUsers, without a match block, like this:

AllowUsers git root@somepattern root@someotherpattern
greg0ire
  • 316
  • 1
  • 6
  • 26