From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:22:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A91A16A4CE for ; Thu, 7 Oct 2004 18:22:20 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31EF343D62 for ; Thu, 7 Oct 2004 18:22:20 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by mproxy.gmail.com with SMTP id 73so54877rnl for ; Thu, 07 Oct 2004 11:22:16 -0700 (PDT) Received: by 10.38.165.18 with SMTP id n18mr2566510rne; Thu, 07 Oct 2004 11:22:16 -0700 (PDT) Received: by 10.39.1.10 with HTTP; Thu, 7 Oct 2004 11:22:16 -0700 (PDT) Message-ID: <79722fad041007112227c3c241@mail.gmail.com> Date: Thu, 7 Oct 2004 21:22:16 +0300 From: Vlad GALU To: Volker Kindermann , freebsd-security@freebsd.org In-Reply-To: <20041007180630.GA25130@yem.eng.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vlad GALU List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:22:20 -0000 On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden wrote: > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > > Hi Jim, > > > > > > > I've used ssh as a secure telnet up to now but done little else with > > > it. The FreeBSD machines I look after on our internet-facing network > > > all have one account which I connect to for administration. I've set > > > up /etc/hosts.allow on all the machines to only allow ssh from a > > > limited internal network range. > > > > > > Now I want to create a new account on one machine which will be > > > accessible from the Internet as a whole, to be used for tunnelling of > > > SMTP and POP3. I can't predict what the client IP address will be so I > > > will have to remove the hosts.allow restriction. > > > > have you considered the "AllowGroups" and "AllowUsers" directives of > > sshd_config? They should provide exact the functionality that you want. > > But what if you have 1000 users? From my understanding you would have > to add all users to the AllowUsers list. Or simply add all of them to one of the groups specified in "AllowGroups". > > -Mark > > > > > > -volker > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.