restricting ssh login based on IP

Tapas Mishra mightydreams at gmail.com
Mon Feb 28 14:27:19 UTC 2011


On Mon, Feb 28, 2011 at 7:36 PM, Scott Moser <smoser at ubuntu.com> wrote:
> On Mon, 28 Feb 2011, Serge E. Hallyn wrote:
>
>> Quoting Michael Zoet (Michael.Zoet at zoet.de):
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Am 26.02.2011 10:21, schrieb Tapas Mishra:
>> > > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner <dsheffner at gmail.com> wrote:
>> > >> Like Michael said I would accomplish this with two users. Just off the top
>> > >> of my head I would do:
>> > > No not two users it has to be same user who has to be restricted based
>> > > on IP from which he logs in.
>> >
>> > Normally I would say it is impossible, but I do not know everything
>> > about PAM, jails and so on. The file system persmissions are not based
>> > on the IP a user came from, so you need to tweak a lot! If I really
>> > had to do such things I would write a shell script that looks up from
>> > where the user came and setup the enviromnet accordingly and make this
>> > shell script the login shell. But this is lot of work and someone has
>> > to be very carefull...
>>
>> Right - giving details to match those in the requirements :), two ways
>> you could do this include (1) creating a container for the readonly
>> user, give it the second IP (or fwd the second IP to it), and make
>> /home/$user a recursive readonly bind mount of the real home.  And
>> (2) you could presumably use an apparmor rule.  First thought is
>> write your own trivial pam module to set the user's apparmor context
>> based on login.
>
> I've done something like this before, jailing into a given root based on a
> login name.  There was really only 1 user, but 2 entries in /etc/passwd, so
> you could get in as 'user-jailed' or 'user'.  or some such.  The key was
> that the user had their shell in /etc/passwd as '/bin/my-jail-user' or
> something like that.  That was a program that decided to jail or not and
> then executed the appropriate "real" shell.
>
> I think that you could probably do something like this.  The only thing
> I'm not really sure how to do with more digging is to find the source IP
> address of the ssh connection.  I'm sure it can be done.
>
Thanks for this information.




More information about the ubuntu-server mailing list