restricting ssh login based on IP
Dan Sheffner
dsheffner at gmail.com
Sat Feb 26 08:09:53 UTC 2011
Like Michael said I would accomplish this with two users. Just off the top
of my head I would do:
user 1) has full read/write access to /home/user1
user 2) has read only access to /home/user2
schedule cron to rsync from /home/user1 to /home/user2 and make everything
read only for the /home/user2.
Dan
On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet <Michael.Zoet at zoet.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 26.02.2011 06:32, schrieb Tapas Mishra:
> > Hi,
>
> Hi Tapas,
>
> >
> > I would like to allow a user to login through SSH but with different
> > permission coming from different ipaddress.
> >
> > For example, a user "tester" login to SSH through 192.168.1.1 and
> > another user login with the same login id "tester" but from different
> > ip 192.168.1.2.
> >
> > How do I restrict 192.168.1.2 to only allow for viewing the content in
> > the home directory while giving 192.168.1.1 full access?
>
> Why do you have to use the same user? Viewing the contents of a
> directory has nothing to do with SSH and you need to use some other
> methods. So using different users to login would be the easiest to
> accomplish this. Then you need only to change the permissions on the
> filesystem. And if you are using POSIX ACLs you have more options than
> you will ever need for this situation. Keep it simple is the best way
> for system administration.
>
>
> >
> >
> > I got a suggestion from some one
> >
> > Approach 1)
> > Based on the ip you change the shell. If it's just for read only a
> > jail would be fine.
> >
> > but how do I change shell based on IP?
> >
> > Approach 2)
> >
> > to have two ssh instances. Let's say port 22 and port 24. Port 22 is
> > for read only, while port 24 is for full access
> >
> > so how can it be possible to give port 22 only read only access to SSH
> >
> >
>
> Maybe you can tweak PAM and do some shell scripting to achieve both
> aproaches. But why? If you do it not right you might break your
> system. I really do not know what this could be good for... Using 2
> users is the easiest way.
>
> Bye,
>
> Michael
>
>
>
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1otAgACgkQBvfZ5167qr9nZACfbeMQNGdRo+ELN8wB0GwZc12R
> fbYAnjoZwnAN+YpzhgcgjZwrAlFmK5jy
> =nExp
> -----END PGP SIGNATURE-----
>
>
> --
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110226/a75568ce/attachment.html>
More information about the ubuntu-server
mailing list