AIX openSSH allow anyuser any IP (default) but restrict a particular user to an IP

Question

Can't seem to come up with the correct Match for this one

sshd should allow anyone from anywhere i.e. the usual/default config, but I want to restrict a user to a IP

For example bob should only be allowed in from IP 1.2.3.4

PS I have added AIX as the O/S. Although PAM is part of AIX it is implemented somewhat differently

what's wrong with `AllowUsers bob@1.2.3.4` in your `/etc/ssh/sshd_config` file? — LinuxDevOps, Mar 28 '14 at 15:47
If I read the manpage correctly that would then only allow bob@1.2.3.4 and no one else — user214402, Mar 28 '14 at 16:01

Matthew Ife · Answer 1 · 2014-03-28T17:50:27.960

Seeing as nobody else has yet mentioned it, its possible to do this with the pam_access module.

You'll need to check the pam stack is invoking this module by looking in /etc/pam.d/sshd and adding as an account value if it is not there. IE

#%PAM-1.0
auth       required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so

account    required     pam_access.so

account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
session    required     pam_tty_audit.so enable=*

Then, in the access file (default is /etc/security/access.conf) add the three following lines (providing no other lines offer any other security setup).

+ : bob : 1.2.3.4
- : bob : ALL
+ : ALL : ALL

In SSH

I suppose the following would work.

<Global scope>
DenyUsers bob

Match Address 1.2.3.4
  AllowUsers bob

I added an option that may work in SSH, providing you're not running an ancient version. — Matthew Ife, Mar 28 '14 at 17:50
Your running too old a version. My `sshd_config` man page explicitly indicates this is supported. — Matthew Ife, Mar 28 '14 at 20:29

score 0 · Answer 2 · answered Mar 28 '14 at 16:15

If you know all other users, this will work:

AllowUsers user@ip user2 user3

but unfortunately, it's not working with wildcards.

Depending on what your end-goal is, you could force your users to use SSH keys instead of passwords and restrict the host in the users ~/.ssh/authorized_keys file with a from= statement (see man sshd for infos on the format).

score -1 · Answer 3 · answered Mar 28 '14 at 16:18

-1

If I understand correctly, you want to allow all the lucky non-Bob users to come from anywhere, but the hapless Bob can only come from 1.2.3.4.

Maybe try this:

AllowUsers !bob
AllowUsers bob@1.2.3.4

answered Mar 28 '14 at 16:18

mlv

154
2

This way, alice, charly and their friends can't log in either, or you have to list them separately. – Sven Mar 28 '14 at 16:26
My understanding of the man page is that !bob is a pattern that matches all users except bob (which includes alice, charly and anyone else). The second line allows bob only from 1.2.3.4. – mlv Mar 28 '14 at 16:30
It's not working this way. – Sven Mar 28 '14 at 16:37

AIX openSSH allow anyuser any IP (default) but restrict a particular user to an IP

3 Answers3