> > what about using the "AllowUser u...@host" option in /etc/ssh/sshd_config? > > > > If you use ssh keys or kerberos ticket forwarding, then I think that PAM > > is bypassed entirely depending on your sshd config. check the "UsePAM" > > sshd option. > > > > Thanks, Jason. You are right. Currently I have to use ssh keys for root > in order to be able to test the pam.d/sshd in case I do something > wrong and lose access to the server. > > I also tried AllowUsers in sshd_config. I can limit u...@host2, u...@host3 > but how do I specify other people have no limit ? > > When I have > AllowUsers u...@host2 u...@host3 > then I can limit u2 and u3 to login only from u2 and i3, correspondingly > but no other users can login. > > When I have > AllowUsers u...@host2 u...@host3 * > then u2 and u3 can login just fine from anywhere.
I would recommend reading the man page for sshd_config along with the PATTERNS section of ssh_config's man page for more info, but I played with it for a few minutes and accomplished you goal in this manner: DenyUsers u2@"!host2.fqdn,*" u3@"!host3.fqdn,*" Basically you are saying to deby u2 from any host except hosts2.fqdn. On my system it didn't work until I used the FQDN, but I would assume an IP would work as well. If you have more than 1 host they can not log into just add it in, like this "!host2.fqdn,!host3.fqdn,*" but the PATTERNS section can give you better ways of handling that. AllowUsers defaults to * so you can leave that line out, or continue whatever you were doing with it previously. -greg _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
