PHWinfo - Afficher un message

20/09/2006, 15h31

Sylvain Ferriol <sferriol@imag.fr> writes:

> hello
>
> i want to config a ssh gateway between internet and my intranet:
> the specifications are:
> - a user from internet can not login the ssh_gateway
> - some users (admins) from intranet can login the ssh_gateway
>
> how can i do that ?
> can i allow sshd to accept login only from an ip address range ?
>
> is it more secure to only accept port forwarding on ssh_gateway ?

TCP Wrappers rather than an sshd config is the place to do this.

THe 30 second tutorial, assuming it's installed:

edit /etc/hosts.deny
Make this the one and only line:
sshd: ALL

Or, if you want to get more restrictive and don't host external
services on the box make that:
ALL:ALL

which denies everything by default except things specifically
allowed.

Next, edit /etc/hosts.allow

Add lines
sshd: ip.address.to.allow.here
sshd: ip.address2.to.allow.here
sshd: ip.address3.to.allow.here
sshd: ip.address4.to.allow.here
sshd: intranet.mycompany.com

Man hosts.allow for more details and different ways to specify ip
ranges and subnets. If your intranet hosts reverse resolve to a
consistent name e.g. host123.intranet.mycompany.com, then sshd:
intranet.mycompany.com would be your hosts.allow entry.

Best Regards,
--
Todd H.
http://www.toddh.net/

20/09/2006, 15h31	#2
Todd H. Messages: n/a Hébergeur:	Re: allow login from specific address Sylvain Ferriol <sferriol@imag.fr> writes: > hello > > i want to config a ssh gateway between internet and my intranet: > the specifications are: > - a user from internet can not login the ssh_gateway > - some users (admins) from intranet can login the ssh_gateway > > how can i do that ? > can i allow sshd to accept login only from an ip address range ? > > is it more secure to only accept port forwarding on ssh_gateway ? TCP Wrappers rather than an sshd config is the place to do this. THe 30 second tutorial, assuming it's installed: edit /etc/hosts.deny Make this the one and only line: sshd: ALL Or, if you want to get more restrictive and don't host external services on the box make that: ALL:ALL which denies everything by default except things specifically allowed. Next, edit /etc/hosts.allow Add lines sshd: ip.address.to.allow.here sshd: ip.address2.to.allow.here sshd: ip.address3.to.allow.here sshd: ip.address4.to.allow.here sshd: intranet.mycompany.com Man hosts.allow for more details and different ways to specify ip ranges and subnets. If your intranet hosts reverse resolve to a consistent name e.g. host123.intranet.mycompany.com, then sshd: intranet.mycompany.com would be your hosts.allow entry. Best Regards, -- Todd H. http://www.toddh.net/