Restrict SSH user to connection from one machine

During set-up of a home server (running Kubuntu 10.04), I created an admin user for performing administrative tasks that may require an unmounted home. This user has a home directory on the root partition of the box.

The machine has an internet-facing SSH server, and I have restricted the set of users that can connect via SSH, but I would like to restrict it further by making admin only accessible from my laptop (or perhaps only from the local 192.168.1.0/24 range).

I currently have only an

AllowGroups ssh-users

with myself and admin as members of the ssh-users group.

What I want is something that works like you may expect this setup to work (but it doesn't):

$ groups jonathan
... ssh-users
$ groups admin
... ssh-restricted-users
$ cat /etc/ssh/sshd_config
...
AllowGroups ssh-users ssh-restricted-users@192.168.1.*
...

Is there a way to do this? I have also tried this, but it did not work (admin could still log in remotely):

AllowUsers admin@192.168.1.* *
AllowGroups ssh-users

with admin a member of ssh-users.

I would also be fine with only allowing admin to log in with a key, and disallowing password logins, but I could find no general setting for sshd; there is a setting that requires root logins to use a key, but not for general users.

Jonathan

Posted 2011-01-04T17:01:26.980

Reputation: 153

1It's not a standard way of doing things, but why not you instead close of root access totally except on the local level, and give a user su powers? In short, in order to access root, user must login, then su to become root. – caliban – 2011-01-04T17:12:54.980

@caliban I have that already. The only purpose of the admin user is to allow changes to /home without logging in as root. I use sudo for everything. – Jonathan – 2011-01-04T18:43:03.547

Although I don't think this will apply to your particular situation, you can apply fine-grained sudo privileges - say, they can run such-and-such command, but not anything else. – Boycott SE for Monica Cellio – 2011-01-04T20:21:59.573

Answers

The standard pam_access.so PAM module can restrict logins by remote address, and can be applied to all services, not just ssh.

user1686

Posted 2011-01-04T17:01:26.980

Reputation: 283 655

It worked. It's not perfect; instead of saying Access Denied or similar, like when you type the wrong password, it simply disconnects you, but it does prevent users in ssh-restricted-users from logging in from an outside network, and allows it from the local network. Thanks! – Jonathan – 2011-01-04T20:01:10.567

@Jonathan: I think it could do that if you put the module to the auth section of PAM. (Do not remove it from account, however.) – user1686 – 2011-01-04T20:07:48.230

It should be possible using the Match directive in sshd_config. To prevent admin from logging in outside your local network, something like this should work:

Match User="admin",Host="!192.168.1.0/24"
MaxAuthTries 0  # a hack — is there a better way?

To disable ssh's built-in password authentication for a user (though if I understand the documentation correctly, you can't tune PAM authentication this way, only sshd's built-in password authentication):

Match User="admin"
KbdInteractiveAuthentication No

Gilles 'SO- stop being evil'

Posted 2011-01-04T17:01:26.980

Reputation: 58 319

One solution would be to create an ssh key that would be restricted by the host machine to be acceptable when the connection comes from only one ip address or from a domain or subdomain:

Create the key as normal...something like:

ssh-keygen -t rsa -b 4096 -C "admin@wangadingding.com"

then edit the resulting id_rsa.pub file (you have the option to choose a different base filename) which will look like this:

ssh-rsa AA.....

Edit the file to look like:

from="*.wangadingding.com" ssh-rsa AA....

Add the .pub file to the ~/.ssh/authorized_keys2 (or create it) on the target machine

Now anyone using that key (presumably "admin") can only use it from the specified domain.

Rondo

Posted 2011-01-04T17:01:26.980

Reputation: 191