restricting ssh login based on IP

Scott Moser smoser at
Mon Feb 28 14:06:53 UTC 2011

On Mon, 28 Feb 2011, Serge E. Hallyn wrote:

> Quoting Michael Zoet (Michael.Zoet at
> >
> > Hash: SHA1
> >
> > Am 26.02.2011 10:21, schrieb Tapas Mishra:
> > > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner <dsheffner at> wrote:
> > >> Like Michael said I would accomplish this with two users. Just off the top
> > >> of my head I would do:
> > > No not two users it has to be same user who has to be restricted based
> > > on IP from which he logs in.
> >
> > Normally I would say it is impossible, but I do not know everything
> > about PAM, jails and so on. The file system persmissions are not based
> > on the IP a user came from, so you need to tweak a lot! If I really
> > had to do such things I would write a shell script that looks up from
> > where the user came and setup the enviromnet accordingly and make this
> > shell script the login shell. But this is lot of work and someone has
> > to be very carefull...
> Right - giving details to match those in the requirements :), two ways
> you could do this include (1) creating a container for the readonly
> user, give it the second IP (or fwd the second IP to it), and make
> /home/$user a recursive readonly bind mount of the real home.  And
> (2) you could presumably use an apparmor rule.  First thought is
> write your own trivial pam module to set the user's apparmor context
> based on login.

I've done something like this before, jailing into a given root based on a
login name.  There was really only 1 user, but 2 entries in /etc/passwd, so
you could get in as 'user-jailed' or 'user'.  or some such.  The key was
that the user had their shell in /etc/passwd as '/bin/my-jail-user' or
something like that.  That was a program that decided to jail or not and
then executed the appropriate "real" shell.

I think that you could probably do something like this.  The only thing
I'm not really sure how to do with more digging is to find the source IP
address of the ssh connection.  I'm sure it can be done.

Like everyone else, I'm intrigued by what you're wanting to do, and would
like more info.  It seems like whatever you do here is really a hack that
will quite likely bite you later.

More information about the ubuntu-server mailing list