I'd like to restrict SSH logins for a specific FreeBSD user account to a specific IP address (they're automated rsync backups from one machine to another, no actual user should ever be logging in, just the SSH+rsync process).
I feel like I should be able to do this using either hosts.allow or sshd_config... but I can't find any clear-cut example for how to do this. Can anyone tell me?
In addition to the wrappers option....I imagine this rsync backup is making use of an ssh key. You can restrict a key to a specific source IP or domain. This would be equivalent to a user-to-IP restriction since only that user is making use of that key (if your smart, which you appear).
First line of authorized_keys file:
from="trusted.domain.com",no-port-forwarding,no-pty ssh-rsa AAAABasdf
From the hosts.allow manpage:
It is also possible to restrict the remote IP address in the
sshd_config
file, e.g. for root access:The options
AllowUsers
,AllowGroups
,DenyUsers
,DenyGroups
can be used for restrictions as well, e.g.:The
sshd_config
manpage section Match has a detailed list of allowed options and description.