Finer grain control of SSH access

[Pete Nesbitt]

On May 27, 2004 05:05 am, Reuben D. Budiardja wrote:
> Hello,
> I am wondering if someone can help me on how to achieve the following.
>
> 1. I use tcp wrapper with SSH (/etc/hosts.allow & hosts.deny). I have
> policy for our server that only access from my domain (.utk.edu domain) is
> allowed. But we also have several exceptions for people who is outside this
> domain, so I add that domain to /etc/hosts.allow. What I really want
> though, is If I can restrict that only certain username can SSH to the
> server from this remote domain. So for example, if I add .comcast.net
> domain to /etc/hosts.allow, I want to restrict it further to: "only
> username 'the-boss' can SSH to this machine from comcast.net". Is there any
> way to do that at all ?
>
> 2. Public-key login: I want to disable public-key login, and I know how to
> do that. However, there are certain cases where we want to allow public-key
> login, eg. for automated backup, running parallel jobs in beowulf cluster.
> So I am wondering if there's a way to disable public-key login in general,
> but allow public-key login from a very restrictive set of IP, eg: disable
> public-key login, except from IP 10.0.0.0/250 (local network)
>
> Any help on how to do any of those would be greatly appreciated.
>
> Thanks in advance.
> RDB
> --
> Reuben D. Budiardja
> Department of Physics and Astronomy
> The University of Tennessee, Knoxville, TN
> ---------------------------------------------------------
> "To be a nemesis, you have to actively try to destroy
> something, don't you? Really, I'm not out to destroy
> Microsoft. That will just be a completely unintentional
> side effect."
>                  - Linus Torvalds -


Hi,
It looks like Ed and Matthew pretty much covered it, but in case you want more 
info, I have a couple docs on restricted ssh access etc. at:  
http://nesbitt.yi.org/howto.shtml

-- 
Pete Nesbitt, rhce