If you use public keys for the users with shells, you could use a Match block with 'PasswordAuthentication no' for those usernames, and 'from="pattern-list"' in their authorized_keys files.
On 2009-05-22, Aaron Martinez <[email protected]> wrote: > Hi All, > > I am setting up an openbsd 4.5 stable based pf firewall and was > wondering if there is a way to make it so only certain users could log > in from certain IP addresses. I have authpf set up and working well, > but the problem is if someone that isn't coming from one of my "safe" ip > addresses, i don't want them to be able to log in using a login name > that has a standard shell like ksh. I saw the "Match" statement for > sshd but it looks like the only things that can be set are: > AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, > ForceCommand, GatewayPorts, GSSAPIAuthentication, > HostbasedAuthentication, KbdInteractiveAuthentication, > KerberosAuthentication, MaxAuthTries, MaxSessions, > PasswordAuthentication, PermitEmptyPasswords, PermitOpen, > PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, > X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which > would allow for what i'm trying. (if i'm understanding this correctly) > > > I'm trying to have authpf authenticate people before they are able to > use certain services behind the firewall, i.e. pptp server, pop server > etc., while allowing certain people from static IP addresses to actually > log into the openbsd firewall. > > Any ideas greatly appreciated. > > > Thanks in advance. > > Aaron Martinez
