Hey.
Perhaps someone can help me with the following (OpenSSH 6.7):
I have a host reachable via miscellaneous interfaces (and network
addresses) running SSH.
Some specific users should be only reachable from the inside, so e.g.
though something like this would do the job in sshd_config:
#general config
#...
Match User foo LocalAddress 10.0.0.1,fe80:abba::0
PasswordAuthentication no
KbdInteractiveAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
RSAAuthentication no
PubkeyAuthentication yes
Match User foo LocalAddress !10.0.0.1,!fe80:abba::0
PasswordAuthentication no
KbdInteractiveAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
RSAAuthentication no
PubkeyAuthentication no
But apparently it never goes into the negative matching block :-(
Also, it seems that hostnames can generally not be used with
LocalAddress,.. is this expected? Cause that would be kinda nice.
Thanks,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150224/ec0e9a19/attachment.bin>
On Tue, 24 Feb 2015, Christoph Anton Mitterer wrote:> Hey. > > Perhaps someone can help me with the following (OpenSSH 6.7): > > I have a host reachable via miscellaneous interfaces (and network > addresses) running SSH. > > Some specific users should be only reachable from the inside, so e.g. > though something like this would do the job in sshd_config: > > #general config > #... > > Match User foo LocalAddress 10.0.0.1,fe80:abba::0 > PasswordAuthentication no > KbdInteractiveAuthentication no > RhostsRSAAuthentication no > HostbasedAuthentication no > KerberosAuthentication no > GSSAPIAuthentication no > RSAAuthentication no > PubkeyAuthentication yes > > Match User foo LocalAddress !10.0.0.1,!fe80:abba::0with HEAD you can do: Match user foo !localaddress 10.0.0.1... otherwise you need to have at least one matching term in the predicate, e.g. Match User foo LocalAddress *,!10.0.0.1,!fe80:abba::0> But apparently it never goes into the negative matching block :-( > > Also, it seems that hostnames can generally not be used with > LocalAddress,.. is this expected? Cause that would be kinda nice.Yes, it's expected - we don't do DNS lookups there. I don't think we want to either. -d
On Tue, 2015-02-24 at 10:15 +1100, Damien Miller wrote:> otherwise you need to have at least one matching term in the predicate, e.g. > Match User foo LocalAddress *,!10.0.0.1,!fe80:abba::0Ah,.. great :) Thanks a lot, that did the trick.> > Also, it seems that hostnames can generally not be used with > > LocalAddress,.. is this expected? Cause that would be kinda nice.Well the nice part about that would be that one can use a hostname, which is e.g. set in /etc/hosts something like: 1.2.3.4 eth0.localhost and use that in the ListenAddress and e.g. Match patterns. Now when the host moves to another address, all one has to do is exchange one entry in /etc/hosts, instead of many in other places =) Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150224/b861ef79/attachment-0001.bin>