restricting ssh login based on IP
Serge E. Hallyn
serge.hallyn at canonical.com
Mon Feb 28 13:37:45 UTC 2011
Quoting Michael Zoet (Michael.Zoet at zoet.de):
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 26.02.2011 10:21, schrieb Tapas Mishra:
> > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner <dsheffner at gmail.com> wrote:
> >> Like Michael said I would accomplish this with two users. Just off the top
> >> of my head I would do:
> > No not two users it has to be same user who has to be restricted based
> > on IP from which he logs in.
>
> Normally I would say it is impossible, but I do not know everything
> about PAM, jails and so on. The file system persmissions are not based
> on the IP a user came from, so you need to tweak a lot! If I really
> had to do such things I would write a shell script that looks up from
> where the user came and setup the enviromnet accordingly and make this
> shell script the login shell. But this is lot of work and someone has
> to be very carefull...
Right - giving details to match those in the requirements :), two ways
you could do this include (1) creating a container for the readonly
user, give it the second IP (or fwd the second IP to it), and make
/home/$user a recursive readonly bind mount of the real home. And
(2) you could presumably use an apparmor rule. First thought is
write your own trivial pam module to set the user's apparmor context
based on login.
-serge
More information about the ubuntu-server
mailing list