Home / server / Questions / 834032
In Process
Sfisioza
Asked: 2017-02-22 13:09:50 +0800 CST

Debian - Allow only one user to login from any IP via ssh

  • 772

I want to configure server so only one user (git) is able to login from any IP address (using key), the other users just from specified IPs.

Currenly my configuration allows to login any user from just one specified IP.

Here's what I have now:

/etc/ssh/sshd_config:

PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
# AllowUsers
# not configured

/etc/hosts.allow:

# my workplace IP
sshd: 191.225.37.xyz
# my trusted server
ALL: my.private.com

/etc/hosts.deny:

# bunch of addresses added by protection services
sshd: x.y.z.v

UFW is disabled.

How to configure it so any user can login just from this specified IP (as is), but git user is able to login via ssh from any IP?

login ssh permissions user-permissions debian-wheezy

1 Answers

  1. You probably should be doing this all with the match function in your sshd_config instead of trying to use the tcp wrappers hosts.allow (which is a deprecated function in the official sshd). Many examples can be found with google search. Here is an untested example of what I expect might be similar to what you want. Do please spend some time reading the man page and other Google results on your own.

    PasswordAuthentication no
# git from anywhere with password auth
Match User git
    PasswordAuthentication yes
# anyone not git from a specific network with password auth
Match User !git  Address 192.168.0.0/16
    PasswordAuthentication yes
    • 3