PHWinfo - Afficher un message

20/09/2006, 17h17

Sylvain Ferriol <sferriol@imag.fr> writes:

> Todd H. a écrit :
> > Sylvain Ferriol <sferriol@imag.fr> writes:
> >
> >>hello
> >>
> >>i want to config a ssh gateway between internet and my intranet:
> >>the specifications are:
> >>- a user from internet can not login the ssh_gateway
> >>- some users (admins) from intranet can login the ssh_gateway
> >>
> >>how can i do that ?
> >>can i allow sshd to accept login only from an ip address range ?
> >>
> >>is it more secure to only accept port forwarding on ssh_gateway ?
> > TCP Wrappers rather than an sshd config is the place to do this. THe
> > 30 second tutorial, assuming it's installed: edit /etc/hosts.deny
> > Make this the one and only line: sshd: ALL
>
> the problem is that i want to allow port forwarding from internet to
> intranet like this:
> ssh -N -L 4444:foo_server:4444 sshd_gateway

Are your requirements are opposed to each other?

If you want to allow a forward connection from internet to intranet on
the gateway to set up that port forwarding, you can't prohibit "a user
from internet can not login the ssh_gateway."

Or are you saying you want to allow this port forwarding, but no
interactive login shells from internet users?

--
Todd H.
http://www.toddh.net/

20/09/2006, 17h17	#4
Todd H. Messages: n/a Hébergeur:	Re: allow login from specific address Sylvain Ferriol <sferriol@imag.fr> writes: > Todd H. a écrit : > > Sylvain Ferriol <sferriol@imag.fr> writes: > > > >>hello > >> > >>i want to config a ssh gateway between internet and my intranet: > >>the specifications are: > >>- a user from internet can not login the ssh_gateway > >>- some users (admins) from intranet can login the ssh_gateway > >> > >>how can i do that ? > >>can i allow sshd to accept login only from an ip address range ? > >> > >>is it more secure to only accept port forwarding on ssh_gateway ? > > TCP Wrappers rather than an sshd config is the place to do this. THe > > 30 second tutorial, assuming it's installed: edit /etc/hosts.deny > > Make this the one and only line: sshd: ALL > > the problem is that i want to allow port forwarding from internet to > intranet like this: > ssh -N -L 4444:foo_server:4444 sshd_gateway Are your requirements are opposed to each other? If you want to allow a forward connection from internet to intranet on the gateway to set up that port forwarding, you can't prohibit "a user from internet can not login the ssh_gateway." Or are you saying you want to allow this port forwarding, but no interactive login shells from internet users? -- Todd H. http://www.toddh.net/