Ubuntu – How to restrict a specified SSH user to connect only from one IP or hostname


I have a monitoring server that requires the SSH connection details of a non-sudo user account of each box it monitors. Is there a way that I can configure a specific user account such that it can only be logged into from a specific IP (or better yet hostname)? I do not want to restrict the ability of other users on the server to be able to connect from other addresses (otherwise I'd just use a firewall), or use password authentication for the monitoring service only.

Best Answer

  • See man sshd_config. There is possibility to add AllowUsers block where you can specify both user and host like this:

    AllowUsers user@host # or IP

    Of course you need to specify also other users you want to allow login from, if you have some.

    Another solution (depends on bug fixes!)

    As I think about it once more, there is possibility to modify your sshd_config like this:

    Match Host !hostname
        DenyUsers user
    Match Host hostname
        AllowUsers user

    This would easily block all users except from user from hostname and from everywhere else it would block user.

    BUT it doesn't work, because of few bugs reported upstream [1] [2]. But we got it promised it will get fixed in next release.