Some ways to restrict who can log in via OpenSSH and how they authenticate
In yesterday's entry on allowing password authentication from the
Internet for SSH, I mentioned that there
were ways to restrict who this was enabled for or who could log in
through SSH. Today I want to cover some of them, using settings in
/etc/ssh/sshd_config
.
The simplest way is to globally restrict logins with AllowUsers
, listing only
specific accounts you want to be accessed over SSH. If there are
too many such accounts or they change too often, you can switch to
AllowGroups
and allow only people in a specific group that you maintain, call
it 'sshlogins'.
If you want to allow logins generally but restrict, say, password
based authentication to only people that you expect, what you want
is a Match
block
and setting AuthenticationMethods
within
it. You would set it up something like this:
AuthenticationMethods publickeyMatch User cks AuthenticationMethods any
If you want to be able to log in using password from your local networks but not remotely, you could extend this with an additional Match directive that looked at the origin IP address:
Match Address 127.0.0.0/8,<your networks here> AuthenticationMethods any
In general, Match directives are your tool for doing relatively complex restrictions. You could, for example, arrange that accounts in a certain Unix group can only log in from the local network, never remotely. Or reverse this so that only logins in some Unix group can log in remotely, and everyone else is only allowed to use SSH within the local network.
However, any time you're doing complex things with Match blocks, you should make sure to test your configuration to make sure it's working the way you want. OpenSSH's sshd_config is a configuration file with some additional capabilities, not a programming language, and there are undoubtedly some subtle interactions and traps you can fall into.
(This is one reason I'm not giving a lot of examples here; I'd have to carefully test them.)
Sidebar: Restricting root logins via OpenSSH
If you permit root logins via OpenSSH at all, one fun thing to do is to restrict where you'll accept them from:
PermitRootLogin no Match Address 127.0.0.0/8,<your networks here> PermitRootLogin prohibit-password # or 'yes' for some places
A lot of Internet SSH probers direct most of their effort against the root account. With this setting you're assured that all of them will fail no matter what.
|
|