Linux – Restrict SSH user to connection from one machine

linuxSecurityssh

During set-up of a home server (running Kubuntu 10.04), I created an admin user for performing administrative tasks that may require an unmounted home. This user has a home directory on the root partition of the box.

The machine has an internet-facing SSH server, and I have restricted the set of users that can connect via SSH, but I would like to restrict it further by making admin only accessible from my laptop (or perhaps only from the local 192.168.1.0/24 range).

I currently have only an

AllowGroups ssh-users

with myself and admin as members of the ssh-users group.

What I want is something that works like you may expect this setup to work (but it doesn't):

$ groups jonathan
... ssh-users
$ groups admin
... ssh-restricted-users
$ cat /etc/ssh/sshd_config
...
AllowGroups ssh-users ssh-restricted-users@192.168.1.*
...

Is there a way to do this? I have also tried this, but it did not work (admin could still log in remotely):

AllowUsers admin@192.168.1.* *
AllowGroups ssh-users

with admin a member of ssh-users.

I would also be fine with only allowing admin to log in with a key, and disallowing password logins, but I could find no general setting for sshd; there is a setting that requires root logins to use a key, but not for general users.

Best Answer

  • The standard pam_access.so PAM module can restrict logins by remote address, and can be applied to all services, not just ssh.

  • Related Question