10

I have a monitoring server that requires the SSH connection details of a non-sudo user account of each box it monitors. Is there a way that I can configure a specific user account such that it can only be logged into from a specific IP (or better yet hostname)? I do not want to restrict the ability of other users on the server to be able to connect from other addresses (otherwise I'd just use a firewall), or use password authentication for the monitoring service only.

muru
  • 193,181
  • 53
  • 473
  • 722
Programster
  • 5,731
  • 20
  • 63
  • 92

4 Answers4

11

See man sshd_config. There is possibility to add AllowUsers block where you can specify both user and host like this:

AllowUsers user@host # or IP

Of course you need to specify also other users you want to allow login from, if you have some.

Another solution (depends on bug fixes!)

As I think about it once more, there is possibility to modify your sshd_config like this:

Match Host !hostname
    DenyUsers user
Match Host hostname
    AllowUsers user

This would easily block all users except from user from hostname and from everywhere else it would block user.

BUT it doesn't work, because of few bugs reported upstream [1] [2]. But we got it promised it will get fixed in next release.

Jakuje
  • 6,505
  • 7
  • 30
  • 37
  • I did see that but was hoping there was a way I didn't have to specify all the other user accounts. I take it there is nothing like order of specificity where I could specify allow all users from any IP, and then that line, which resulted in that user only being allowed from that IP? – Programster Jul 18 '15 at 08:45
  • You can specify it also on group basis. – Jakuje Jul 18 '15 at 08:49
  • Would that require me to add all the other users in the system to a group? Could I not use DenyUser [user], then afterwards `AllowUser [user]@host` to override for that one host? – Programster Jul 18 '15 at 08:54
  • Looks like I can't do exactly what I want so I need to either specify all users I allow, or go down the route of using keys for all logins, but permit password for only that one IP and have the monitoring server run on passwords. – Programster Jul 18 '15 at 09:13
  • I inserted another possible solution. @Programster, can you have a look if it works for you? – Jakuje Jul 18 '15 at 21:56
  • That looked really promising but I couldn't get it to work. A full list of all the tests I did is here (markdown format): http://pastebin.com/D7s7rqep – Programster Jul 19 '15 at 09:10
  • 1
    sorry. My bad. This won't work since Deny is evaluated before Allow. Maybe somebody can make up some solution, but I think it is not possible to solve it easily without fixing above mentioned bugs. – Jakuje Jul 19 '15 at 09:21
  • I think I'll wait for the bugfixes. Any chance of updating your answer to remove the match block that doesn't work and stating "When the following bugs are fixed, this solution will work: (solution goes here)" ? – Programster Jul 19 '15 at 09:39
  • `Match`and `AllowUsers`or `DenyUsers` don't work together. But you can have multiple match arguments, i.e. `Match User Host ` and then your options, i.e. `PasswordAuthentication yes` – Robert Riedl Sep 13 '18 at 15:05
8

You can use wildcards for the AllowUsers line on the /etc/ssh/sshd_config file. So it would be feasible to add the line:

AllowUsers *@192.168.1.100

Or:

AllowUsers *@hostname

To allow everyone from that IP address or hostname access.

Remember to:

service ssh restart

Once you've made the changes, so long as you're on a version before 15.04. 15.04 uses systemd now, so has a different mechanism for controlling services.

Arronical
  • 19,653
  • 18
  • 73
  • 128
  • Thanks but this would prevent the other users from connecting from IPs other than 192.168.1.100 right? I'm trying to only restrict this one user to signing in from one IP and whatever I do must not effect other users in any way. – Programster Jul 18 '15 at 14:39
  • It can be used for a space seperated list, or with the @ symbol directly in front of group names. It's very configurable, but alternatively use a mix of some key based authentication without passwords for the servers, and normal password ssh for users. Sounds like that's already your plan though! – Arronical Jul 18 '15 at 17:19
  • There's not a wildcard for all except a specified user such as regex ^(?!username$).* is there? – Programster Jul 18 '15 at 17:27
4

According to man pages, this should work:

DenyUsers user@"!host,*"

I tested this on Debian and it seemed to work correctly.

Roman Hocke
  • 141
  • 4
  • pls can you explain the command ? – Massimo Nov 27 '18 at 08:31
  • 3
    See "PATTERNS" section here: http://manpages.ubuntu.com/manpages/precise/en/man5/ssh_config.5.html Deny connection if the `user` comes from this list of hosts: `"!1.2.3.4,*"`. This list contains every host (`*`) except 1.2.3.4 (`!1.2.3.4`). – Roman Hocke Nov 27 '18 at 10:58
2

Since this is the top search result in google, I think people should also be aware of setting permissions in the /etc/hosts.allow file (curtesy of Cameron Oltmann's blog post on the matter):

To limit ssh access to a linux box based on originating IP address, edit /etc/hosts.allow:

sshd : localhost : allow
sshd : 192.168.0. : allow
sshd : 99.151.250.7 : allow
sshd : mydomain.net : allow
sshd : ALL : deny

The above entry will allow ssh access from localhost, the 192.168.0.x subnet, the single IP address 99.151.250.7, and mydomain.net (assuming mydomain.net has a ptr record in place to facilitate reverse lookup). All other IP addresses will be denied access to sshd.

Notes: You can allow or deny based on ip address, subnet, or hostname. List rules in order of most to least specific. The file only gets read until a matching line is found, so if you start with ssdh : ALL : deny, no ssh connections will be allowed.

And you should be able to use user@address in this file, per this lifewire.com link:

The more complex forms daemon@host and user@host are explained in the sections on server endpoint patterns and on client username lookups, respectively.

Gregory Martin
  • 121
  • 1