5
During set-up of a home server (running Kubuntu 10.04), I created an admin
user for performing administrative tasks that may require an unmounted home. This user has a home directory on the root partition of the box.
The machine has an internet-facing SSH server, and I have restricted the set of users that can connect via SSH, but I would like to restrict it further by making admin
only accessible from my laptop (or perhaps only from the local 192.168.1.0/24 range).
I currently have only an
AllowGroups ssh-users
with myself and admin
as members of the ssh-users
group.
What I want is something that works like you may expect this setup to work (but it doesn't):
$ groups jonathan
... ssh-users
$ groups admin
... ssh-restricted-users
$ cat /etc/ssh/sshd_config
...
AllowGroups ssh-users ssh-restricted-users@192.168.1.*
...
Is there a way to do this? I have also tried this, but it did not work (admin
could still log in remotely):
AllowUsers admin@192.168.1.* *
AllowGroups ssh-users
with admin
a member of ssh-users
.
I would also be fine with only allowing admin
to log in with a key, and disallowing password logins, but I could find no general setting for sshd
; there is a setting that requires root
logins to use a key, but not for general users.
1It's not a standard way of doing things, but why not you instead close of root access totally except on the local level, and give a user su powers? In short, in order to access root, user must login, then su to become root. – caliban – 2011-01-04T17:12:54.980
@caliban I have that already. The only purpose of the
admin
user is to allow changes to/home
without logging in asroot
. I usesudo
for everything. – Jonathan – 2011-01-04T18:43:03.547Although I don't think this will apply to your particular situation, you can apply fine-grained sudo privileges - say, they can run such-and-such command, but not anything else. – Boycott SE for Monica Cellio – 2011-01-04T20:21:59.573