Re: sshd question
-Urspr|ngliche Nachricht- Von: Jeff Nelson [EMAIL PROTECTED] Gesendet: 09.08.06 02:37:53 An: misc@openbsd.org Betreff: Re: sshd question On Tue, Aug 08, 2006 at 10:04:03AM +0200, holger glaess wrote: i hope this list is the right one for my question . i look for an funktion to limit the login by name AND ip range. example. root login ALLOW from www.xxx.yyy.zzz deny from all myname login ALLOW from all deny from www.xxx.yyy.zzz The OpenBSD sshd is compiled with libwrap support. Please see: man 5 hosts.allow man 5 hosts.deny Have a great day! -jeff hi thanks all for answer but it dosen4t work for me or what i want. ok my setup 2 boxes with seperate ips and carp ip. the ssh listen to localhost and to the interface ips not to the carp ip. i do an rdr on wan_if proto tcp from any to carp ip port 22 - 127.0.0.1 port 22 an block any ok what i want is that the authpf user are able to logon to the carp ip for authentication but not root if the authpf user are authenticated the root are able to logon to the intrerface ip / this is done by authpf rules ) if i do an AllowUsers authpf at sshd_config the root user doesn4t able to logon to the box ( dosen4t matter the ip / interface ) ( tjhe log file says root user are not in AllowUsers bla bla . can anyone help me ? holger
sshd question
hi i hope this list is the right one for my question . i look for an funktion to limit the login by name AND ip range. example. root login ALLOW from www.xxx.yyy.zzz deny from all myname login ALLOW from all deny from www.xxx.yyy.zzz if there exist an feature / funktion of sshd to do this or i need an additional software ? i diden4t wan4t to start an diskussion about security and why i have permit to login as root. holger
Re: sshd question
Hello, On 8/8/06, holger glaess [EMAIL PROTECTED] wrote: hi i hope this list is the right one for my question . i look for an funktion to limit the login by name AND ip range. example. root login ALLOW from www.xxx.yyy.zzz deny from all myname login ALLOW from all deny from www.xxx.yyy.zzz if there exist an feature / funktion of sshd to do this or i need an additional software ? sshd_config(5): AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for us- er names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form US- [EMAIL PROTECTED] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. See PATTERNS in ssh_config(5) for more information on patterns. For example, AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] i diden4t wan4t to start an diskussion about security and why i have permit to login as root. holger -- Dmitri A. Alenitchev No place like $HOME
Re: sshd question
holger glaess wrote:
hi
i hope this list is the right one for my question .
i look for an funktion to limit the login by name AND ip range.
example.
root login ALLOW from www.xxx.yyy.zzz
deny from all
myname login ALLOW from all
deny from www.xxx.yyy.zzz
if there exist an feature / funktion of sshd to do this or i need an additional
software ?
i diden4t wan4t to start an diskussion about security and why i have permit to
login as root.
holger
I think this request looks kinda silly
use pf
block quick log on $ext_if proto { tcp udp } from bad_people to any
to keep out those you don't want on that you know you don't want on.
Require certs with passwords, no tunneled plaintext passwords.
You don't HAVE to allow root logins, make people login as themselves and
su, or better sudo.
Re: sshd question
On Tue, Aug 08, 2006 at 10:04:03AM +0200, holger glaess wrote: i hope this list is the right one for my question . i look for an funktion to limit the login by name AND ip range. example. root login ALLOW from www.xxx.yyy.zzz deny from all myname login ALLOW from all deny from www.xxx.yyy.zzz The OpenBSD sshd is compiled with libwrap support. Please see: man 5 hosts.allow man 5 hosts.deny Have a great day! -jeff
