# SSH deny/allow users per host/ip

## Biffen

Hi!

I have a question about ssh (openssh)

Is it possible to deny users login from all ip/hosts but a allow them login from specific ip/host? Or only allow user to access if connecting from specified host.

Here is my example:

Customer1 should have access to only one account, only sftp (using scponly shell). I want to deny them from be able to connect with other users.

On the other side, from my 192.68.0 I want to be able to connect till all accounts, includeing the Customer sftp account.

Regards,

Biffen

----------

## seank

Why not just do this with your firewall (you have one, right?)?

----------

## cselkirk

Your openssh should have support for tcpwrappers (USE="+tcpd" .. which is default). So, you can use tcpwrappers to allow/deny based on hostname/service.

HTH

----------

## Paulten

this may is not as advanced as the thing you describe you want, worth mentioning maybe : 

/etc/hosts.allow  : 

sshd : x.x.x.x : allow

sshd : x.x.x.x : allow

sshd : ALL : deny

----------

## nielchiano

I'm not sure, but I think he means it like this:

IP 1 should be able to connect to the SSH server, but only be able to login to user 1

IP 2 ..... user 2

IP-range 3 ... ALL users

So not just restrict certain IP's (or restrict all and allow certain), but restrict user/IP-pairs.

I know a way to do it, is by using keys: you can tell in the authorized_keys that the key is only valid from certain IP's...

not sure how to do it with passwords

----------

## Biffen

 *sean_micken wrote:*   

> Why not just do this with your firewall (you have one, right?)?

 

Well, I ment deny/allow user login access based on what host connecting from.  :Wink: 

----------

## Biffen

 *cselkirk wrote:*   

> Your openssh should have support for tcpwrappers (USE="+tcpd" .. which is default). So, you can use tcpwrappers to allow/deny based on hostname/service.
> 
> HTH

 

I have looked into that but cant get it right, mabe you know some giudes?

----------

## Biffen

 *Paulten wrote:*   

> this may is not as advanced as the thing you describe you want, worth mentioning maybe : 
> 
> /etc/hosts.allow  : 
> 
> sshd : x.x.x.x : allow
> ...

 

As I sad, login access based on what host connecting from.  :Smile: 

----------

## Biffen

 *nielchiano wrote:*   

> I'm not sure, but I think he means it like this:
> 
> IP 1 should be able to connect to the SSH server, but only be able to login to user 1
> 
> IP 2 ..... user 2
> ...

 

Yes, mabe I was abit unclear when asking  :Wink: 

This is what I want to get:

from internet, open fw for 1 host (customer1)

in ssh only allow him to login to specific account (in this case, an only sftp account, using scponly shell)

from my internal network, all hosts have access to any accounts. (or based on hosts connecting from)

---

Ok, mabe its possible if I use authorized_keys? Do you know any guide on this?

----------

## spb

 *man sshd_config wrote:*   

>      AllowUsers
> 
>              This keyword can be followed by a list of user name patterns,
> 
>              separated by spaces.  If specified, login is allowed only for
> ...

 

Looks like it may be helpful.

----------

## Biffen

 *spb wrote:*   

>  *man sshd_config wrote:*        AllowUsers
> 
>              This keyword can be followed by a list of user name patterns,
> 
>              separated by spaces.  If specified, login is allowed only for
> ...

 

Yes I tried to get it to work, but I havent had any luck yet. I tried sevral configurations. Login is only possible if not using any hosts.allow/hosts.deny at all or only if host is enterd in hosts.allow. If I try to configure any AllowUsers/DenyUsers sshd just respond to my hosts.allow/hosts.deny configurations (if not using them all users/hosts all allowed to login)

Shuldnt this be working?

hosts.deny

ALL: ALL

hosts.allow

192.168.0.40 192.168.0.50

in sshd_config

AllowUsers myuser@192.168.0.40

DenyUsers myuser@192.168.0.50

myuser is only allowed to login from 192.168.0.40, any other users are allowed from both hosts, no other hosts are allowed at all.

- - -

If I try login, both hosts is allowed to log in as myuser. :/

----------

## gcasillo

Just a friendly reminder to those using the "AllowUsers" syntax in their sshd_config files: remember to prepend the username to the IP address. Otherwise, nobody gets in.  :Embarassed: 

So can I use a wildcard with AllowUsers to allow _all_ users from a range of IP addresses? For example:

```
AllowUsers *@192.168.0.*
```

Will that work I wonder?

----------

