[TriLUG] limiting ssh

[Mike Broome]

Kevin,

I don't have any experience with using or debugging access.conf files,
but I decided to take the challenge of find a description of the file
syntax.  It wasn't as easy I thought it would be.  I finally tracked it
down in /usr/share/doc/pam-0.75/txts/README.pam_access on a RH 7.2 box.
(The exact path may vary based on PAM version and distro.)

Here's the relevant section about the syntax of the third field that you
are trying to change:

# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches) or LOCAL (matches any string that does not contain a "."
# character).

So the way I grok the description leads me to believe that in order to
allow access for user "user" from any host on the 10.x.x.x network, you
would use the line:

+:user:10.

Was that one of the variations that you tried?

Mike


On Thu, Jan 24, 2002 at 05:30:26PM -0500, Kevin Hunter wrote:
> 
> I went w/ the following advice:
> 
> 1) Copy /etc/security/access.conf to /etc/security/sshd_access.conf
> 
> 2) Modify /etc/security/sshd_access.conf to taste.
> For the mail server at work, where a lot of people have accounts but
> I don't want the riffraff to get shell access:
> 
> +:adminuser1:ALL
> +:adminuser2:ALL
> -:ALL:ALL
> 
> 3) Add to /etc/pam.d/sshd:
> account  required  /lib/security/pam_access.so
> accessfile=/etc/security/sshd_access.conf
> 
> However, what would be great is if I could define a user to just get
> in from our local 10.x.x.x network which is natd'd off a freebsd box
> that's also connected to the dmz my web server sits on.  I just can't
> get the syntax right.  I've tried a bunch of different variations.
> If someone has done this, please let me know.
> 
> # sshd_access.conf
> +:wheel:ALL
> +:user:10.x.x.0.   ???
> -:ALL:ALL
> 

-- 
Mike Broome
mbroome(at)employees.org