Hey. Perhaps someone can help me with the following (OpenSSH 6.7): I have a host reachable via miscellaneous interfaces (and network addresses) running SSH. Some specific users should be only reachable from the inside, so e.g. though something like this would do the job in sshd_config: #general config #... Match User foo LocalAddress 10.0.0.1,fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no PubkeyAuthentication yes Match User foo LocalAddress !10.0.0.1,!fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no PubkeyAuthentication no But apparently it never goes into the negative matching block :-( Also, it seems that hostnames can generally not be used with LocalAddress,.. is this expected? Cause that would be kinda nice. Thanks, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150224/ec0e9a19/attachment.bin>
On Tue, 24 Feb 2015, Christoph Anton Mitterer wrote:> Hey. > > Perhaps someone can help me with the following (OpenSSH 6.7): > > I have a host reachable via miscellaneous interfaces (and network > addresses) running SSH. > > Some specific users should be only reachable from the inside, so e.g. > though something like this would do the job in sshd_config: > > #general config > #... > > Match User foo LocalAddress 10.0.0.1,fe80:abba::0 > PasswordAuthentication no > KbdInteractiveAuthentication no > RhostsRSAAuthentication no > HostbasedAuthentication no > KerberosAuthentication no > GSSAPIAuthentication no > RSAAuthentication no > PubkeyAuthentication yes > > Match User foo LocalAddress !10.0.0.1,!fe80:abba::0with HEAD you can do: Match user foo !localaddress 10.0.0.1... otherwise you need to have at least one matching term in the predicate, e.g. Match User foo LocalAddress *,!10.0.0.1,!fe80:abba::0> But apparently it never goes into the negative matching block :-( > > Also, it seems that hostnames can generally not be used with > LocalAddress,.. is this expected? Cause that would be kinda nice.Yes, it's expected - we don't do DNS lookups there. I don't think we want to either. -d
On Tue, 2015-02-24 at 10:15 +1100, Damien Miller wrote:> otherwise you need to have at least one matching term in the predicate, e.g. > Match User foo LocalAddress *,!10.0.0.1,!fe80:abba::0Ah,.. great :) Thanks a lot, that did the trick.> > Also, it seems that hostnames can generally not be used with > > LocalAddress,.. is this expected? Cause that would be kinda nice.Well the nice part about that would be that one can use a hostname, which is e.g. set in /etc/hosts something like: 1.2.3.4 eth0.localhost and use that in the ListenAddress and e.g. Match patterns. Now when the host moves to another address, all one has to do is exchange one entry in /etc/hosts, instead of many in other places =) Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150224/b861ef79/attachment-0001.bin>