restricting ssh login based on IP

Tapas Mishra mightydreams at gmail.com
Sat Feb 26 09:21:17 UTC 2011


On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner <dsheffner at gmail.com> wrote:
> Like Michael said I would accomplish this with two users.  Just off the top
> of my head I would do:
No not two users it has to be same user who has to be restricted based
on IP from which he logs in.
I need some more information on PAM approach if some one can give
about it which direction should I be heading for that approach.
> user 1) has full read/write access to /home/user1
> user 2) has read only access to /home/user2
>
> schedule cron to rsync from /home/user1 to /home/user2 and make everything
> read only for the /home/user2.
>
> Dan
>
> On Sat, Feb 26, 2011 at 2:04 AM, Michael Zoet <Michael.Zoet at zoet.de> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Am 26.02.2011 06:32, schrieb Tapas Mishra:
>> > Hi,
>>
>> Hi Tapas,
>>
>> >
>> > I would like to allow a user to login through SSH but with different
>> > permission coming from different ipaddress.
>> >
>> > For example, a user "tester" login to SSH through 192.168.1.1 and
>> > another user login with the same login id "tester" but from different
>> > ip 192.168.1.2.
>> >
>> > How do I restrict 192.168.1.2 to only allow for viewing the content in
>> > the home directory while giving 192.168.1.1 full access?
>>
>> Why do you have to use the same user? Viewing the contents of a
>> directory has nothing to do with SSH and you need to use some other
>> methods. So using different users to login would be the easiest to
>> accomplish this. Then you need only to change the permissions on the
>> filesystem. And if you are using POSIX ACLs you have more options than
>> you will ever need for this situation. Keep it simple is the best way
>> for system administration.
>>
>>
>> >
>> >
>> > I got a suggestion from some one
>> >
>> > Approach 1)
>> > Based on the ip you change the shell. If it's just for read only a
>> > jail would be fine.
>> >
>> > but how do I change shell based on IP?
>> >
>> > Approach 2)
>> >
>> > to have two ssh instances. Let's say port 22 and port 24. Port 22 is
>> > for read only, while port 24 is for full access
>> >
>> > so how can it be possible to give port 22 only read only access to SSH
>> >
>> >
>>
>> Maybe you can tweak PAM and do some shell scripting to achieve both
>> aproaches. But why? If you do it not right you might break your
>> system. I really do not know what this could be good for... Using 2
>> users is the easiest way.
>>
>> Bye,
>>
>> Michael
>>
>>
>>
>>
>>



-- 
http://mightydreams.blogspot.com




More information about the ubuntu-server mailing list