Emerson Farrugia wrote: > The configuration most likely to succeed that I've tried so far is > AllowGroups ssh [EMAIL PROTECTED]
What authentication methods do you use? You could turn off all methods and then selectively turn them back on using the match keyword eg: # Only accept connections from users in ssh and lanssh groups AllowGroups ssh lanssh # Turn off all authentication methods so logins fail by default. *** NB You'll need to fill this in *** Match Group ssh # Turn on authentication methods allowing ssh group to login anywhere. *** NB You'll need to fill this in *** Match Address 192.168.0.* # Turn on authentication methods - allowing all others to login only # if on local network. *** NB You'll need to fill this in *** Or what about using PAM? # PAM needed to implement restrictions. UsePAM on And then add the following to the pam sshd file (Often /etc/pam.d/sshd): account required pam_access.so accessfile=/etc/security/sshd.conf Then create /etc/security/sshd.conf with the following: - : ALL EXCEPT ssh lanssh:192.168.0.0/24 (^^ You should double check this). This should deny all users, except the ssh group and the lanssh group if logged in through 192.168.0.0/24. Finally, you could alternatively patch the sshd source so that the match keyword extends to AllowGroups. Then you could use something like: Allowgroups ssh Match Address 192.168.0.* Allowgroups lanssh Personally, I feel that the PAM option is the best and easiest to implement and maintain (assuming you have it on your system). Take care, Ben
