network/mask in AllowUsers (sshd_config)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

network/mask in AllowUsers (sshd_config)

Dick Visser-3
Hi guys

Is there any way of configuring networks in sshd_config's AllowUsers?

You can put in user, user@hostname, but no user@network/mask.
Having networks in AllowUsers would be extremely usefull.

Best regards,

--
Dick Visser
TERENA (IT Support Officer)
Singel 468D  1017AW  Amsterdam
The Netherlands
IP Phone: sip://[hidden email]
Legacy phone:  +31205304488
http://www.terena.nl/~dick/pgp.key.asc

Reply | Threaded
Open this post in threaded view
|

Re: network/mask in AllowUsers (sshd_config)

Lukasz Sztachanski
On Fri, Apr 14, 2006 at 12:24:33PM +0200, Dick Visser wrote:
> Hi guys
>
> Is there any way of configuring networks in sshd_config's AllowUsers?
>
> You can put in user, user@hostname, but no user@network/mask.
> Having networks in AllowUsers would be extremely usefull.
>
> Best regards,
>
this can be done with hosts_access(5). Afair, user@ restricting needs
identd on client side( well, that's quite obvious).



                                - Lukasz Sztachanski


--
0x058B7133 // 16AB 4EBC 29DA D92D 8DBE  BC01 FC91 9EF7 058B 7133
http://entropy.pl

Reply | Threaded
Open this post in threaded view
|

Re: network/mask in AllowUsers (sshd_config)

Joachim Schipper
On Fri, Apr 14, 2006 at 01:49:20PM +0200, Lukasz Sztachanski wrote:

> On Fri, Apr 14, 2006 at 12:24:33PM +0200, Dick Visser wrote:
> > Hi guys
> >
> > Is there any way of configuring networks in sshd_config's AllowUsers?
> >
> > You can put in user, user@hostname, but no user@network/mask.
> > Having networks in AllowUsers would be extremely usefull.
> >
> > Best regards,
> >
> this can be done with hosts_access(5). Afair, user@ restricting needs
> identd on client side( well, that's quite obvious).

Not when it's integrated into OpenSSH. Of course, that would not be
TCPwrapper, but something custom-coded.

As to its being useful - methinks public-key authentication is
preferable to IP-based filtering.

                Joachim