restrict external SSH logins to specific users and allow intranet logins to all

Question

I would like to restrict external SSH logins to specific users and allow intranet logins (192.168.0.0/24) to all users. I would appreciate a complete example file for this scenario.

note that 192.168.0.0/8 is _not_ a valid private IP class, it should be a B or C class, /8 means a C class (192.x.x.x) — drAlberT, Sep 04 '09 at 11:14
@AlberT: A /8 was equivalent to a class A, not a class C -- but for the sake of all that's holy, STOP USING CLASSFUL NOTATION. It's not helpful. — womble, Sep 04 '09 at 11:39

score 3 · Accepted Answer · answered Sep 04 '09 at 11:23

3

Although not tested, you should be able to use something akin to.

Match Address *,!192.168.0.0/24
    DenyUsers *
    AllowUsers user1 user2 user3

This would go into your sshd_config file.

answered Sep 04 '09 at 11:23

Dan Carley

25,189
5
52
70

score 2 · Answer 2 · answered Sep 06 '09 at 16:13

2

Thank you for your answers. I have also found the following sshd_config syntax at http://ubuntuforums.org/showthread.php?t=523477 :

AllowUsers john
AllowUsers *@192.168.0.*

answered Sep 06 '09 at 16:13

agsamek

301
1
3
12

score 0 · Answer 3 · answered Sep 04 '09 at 11:17

0

Use host or public key authentication on the local LAN and then password authentication.

Than configure known hosts or known_keys for every PC in you intranet

answered Sep 04 '09 at 11:17

drAlberT

10,871
7
38
52

restrict external SSH logins to specific users and allow intranet logins to all

3 Answers3