I would like to allow ssh access from 1) anyone on the 192.168.1.0/24 network or 2) anyone on a list of users.
If someone meets either of these criteria, they can log in. The goal is to block everyone except a small list of trusted souls from accessing the linux system when they are out of the building. As long as you are in the building and have a username and password, you can log in. If they meet these criteria, they still have to log in. The default ssh file in pam.d uses auth required pam_listfile.so to block the root user. It seems that I can reverse the sense from sense=deny to sense=allow and replace root with all of the legal remote users in the file. It also seems that I can allow people from 192.168.1.0/24 using pam_listfile with item=rhost. I do not have an example of what the file looks like. I would like it to look like this: 192.168.1..0/24 The only ?working? version looks like host.domain.com I then want the user to be required to login with a valid Active Directory username. I already have that working with windbind. pam_stack.so service=system-auth (I renamed the winbind service to system-auth to aviod having to change every pam file.) I am a bit unclear about what ssh does with auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth There seems to be some duplication - everyone calls pam_stack.so exactly the same way. I have something like this in the pam.d/ssh file #block root auth required pam_listfile item=user sense=deny file=/etc/ssh/denyusers # basic requirement of a username and password auth required pam_stack.so service=system-auth auth required pam_nologin.so # Ok so they have the keys; but are they in the right places #allow the chosen people no matter from where account sufficient pam_listfile item=user sense=allow file=/etc/ssh/allowusers #allow the riff-raff as long as they are at work account required pam_listfile item=rhost sense=allow file=/etc/ssh/allow192 account required pam_stack.so service=system-auth ---- This looks redundant password required pam_stack.so service=system-auth --- ???? session required pam_stack.so service=system-auth --- ???? Using the above pam.d/sshd file I can log in if I am on the list of God's chosen but the others can not get in unless I have listed the fully qualified host name in allow192. Is there some way to have the IP address range used instead of the host name. Ron
