Home / server / Questions / 870464
Accepted
MarkHelms
Asked: 2017-08-26 06:59:10 +0800 CST

allow ssh login for certain groups from certain IP addresses, deny from other addresses

  • 772

OS: CentOS 6.5 SSH v5.3

Goal:

  • root access is allowed with PubKeyAuthentication from several hosts.

  • users of "group1" are allowed to login with whatever they provide: PubKey, Password, GSSAPI, KerberosPassword; but they are only allowed to arrive from one certain IP: 192.168.1.10

Status: root access is already defined via multiple from="" -entries in ~/.ssh/authorized_keys, and works as expected.

Problem: users of group1 can arrive from 192.168.1.10 OR from elsewhere; or are locked out completely (with earlier tested configurations).

I tried several variations, but to no avail.

/etc/pam.d/sshd effectively looks like:

    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet

Currently I have in sshd_config :

    PermitRootLogin without-password
    PasswordAuthentication no
    KerberosAuthentication no
    GSSAPIAuthentication no
    UsePAM yes

    AllowGroups root group1

    Match Group [email protected]
        KerberosAuthentication yes
        PasswordAuthentication yes
        GSSAPIAuthentication yes
        PubKeyAuthentication yes
    Match Group root
        PubKeyAuthentication yes

Any proposals?

ssh

1 Answers

  1. Best Answer

    I found a working solution. sshd debug mode ( /usr/sbin/sshd -ddd ) indicated the missing link:

        debug1: connection from 192.168.1.111 matched 'Address *'
    debug3: match found
    [...]
    Accepted **keyboard-interactive/pam** for xxx from \ 
           192.168.1.111 port 54282 ssh2

    As you can see the login matched the correct block; but due to UsePAM yes PAM obviously overruled the "no"-entries in the Match Address * block; see manual:

        UsePAM  Enables the Pluggable Authentication Module interface. 
            If set to “yes” this will enable PAM authentication using
            [...] PasswordAuthentication

    The final config looks like:

        PermitRootLogin without-password
    PasswordAuthentication no
    KerberosAuthentication no
    GSSAPIAuthentication no

    UsePAM yes

    AllowGroups root group1

    Match Address 192.168.1.10
      KerberosAuthentication yes
      PasswordAuthentication yes
      GSSAPIAuthentication yes
      PubKeyAuthentication yes
      KbdInteractiveAuthentication yes

    Match Group root
      PubKeyAuthentication yes

    Match Address *
      KerberosAuthentication no
      PasswordAuthentication no
      GSSAPIAuthentication no
      PubKeyAuthentication no
      KbdInteractiveAuthentication no

    Only after having added KbdInteractiveAuthentication no the PAM password feature was disabled for this block, and users coming from anywhere are now successfully denied.

    • 0