Date: Mon, 7 Jan 2008 18:25:59 -0500 From: Bill Moran <wmoran@potentialtech.com> To: ivan dimitrov <dimitrovi58@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Users login configuration Message-ID: <20080107182559.51b4975a.wmoran@potentialtech.com> In-Reply-To: <635691.6667.qm@web56814.mail.re3.yahoo.com> References: <635691.6667.qm@web56814.mail.re3.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to ivan dimitrov <dimitrovi58@yahoo.com>: > Hi list, > > i have a freebsd server connected in local network behind a router. > is there a way to configure the sshd to allow to login some (group > of) users with their passwords only from the local network and to allow > login other (and part of these) users only with key pairs from the > internet (on that side of the router)? Please wrap your lines around 72 characters or so. To restrict which users can log in, create a unix group and add only those users to that group, then in /etc/ssh/sshd_config, use the AllowGroups directive to control which groups can log in. To control whether a user can use a password to log in, set PasswordAuthentication to no. You'll probably need to turn off ChallengeResponseAuthentication as well for this to work, as pam has a way of doing things that you didn't expect. In order to have different policies on different internet interfaces, I believe you're going to need to run two sshd processes on two different IP addresses with two different config files. You can then use the ListenAddress directive to cause each sshd to listen only to a specific IP and use either routing or packet filtering to control who can get to which one. -- Bill Moran http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080107182559.51b4975a.wmoran>