Re: Restrict a SSH account to a single IP

On Sat, Nov 30, 2002 at 02:00:10PM -0500, Bobby Patel wrote:
> What I want is to restrict one user's account to only be able to ssh in from

Here's one way to go about it. It may not be the most elegant, but it should work. I'm assuming OpenSSH is the server.

1. Create a second sshd_config file with a different name.
2. Put this user's name in AllowUsers.
3. Specify an alternate Port.
4. Use a method of your choice to permit connections to the secondary sshd ONLY from the IP address you wish. This can be done at the application level with /etc/hosts.{allow,deny} if you built ssh with TCP wrappers. It could also be done at the firewall/kernel level depending on your OS.
5. Put the user's name in DenyUsers in the primary sshd_config file.
6. Configure the user's SSH client to use the alternate port. (This shouldn't be too hard, since you're already restricting the user to a single IP. Of course it will depend on which client is used.)

Now start up both instances of sshd, with their respective sshd_config files. The normal one will deny logins by this user, but the second one will not. The second one will deny all IP addresses other than the one you specified, and will also deny all users other than the one you named. Received on Tue Dec 3 13:30:58 2002