1

I'm trying to restrict access to an existing sftp server to a user, to allow it log in only from an IP address, but it's not working. In my case, I'm trying to allow to user some_user to log in ONLY from 192.168.12.10.

This is my complete sshd_config file:


Port 22
Protocol 2
SyslogFacility AUTHPRIV
RSAAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
GSSAPICleanupCredentials yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding no
Subsystem       sftp    /usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,[email protected],hmac-ripemd160
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody

Match User some_user, Address !192.168.12.10
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User some_user, Address 192.168.12.10
    ChrootDirectory /home/some_user/
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

I got this configuration (the Match User sections) from this page.

But it's not working: I'm still able to log in from any IP address. I've also tried what is suggested in this thread but to no avail.

Am I missing something?

Thanks for your attention.

Best regards.

Improve this question
2
  • 1
    Why do you have two Match User entries for the same IP? Try to set PubkeyAuthentication no.
    – harrymc
    Commented Apr 29, 2021 at 11:47
  • I took it from the example shown in the first link I included in the post. Anyway, I had also tried with an unique Match User section (with Address 192.168.12.20), but with the same results. Thanks.
    – tapp
    Commented Apr 29, 2021 at 12:14

1 Answer 1

Reset to default
0

The solution for the problem was to use the simpler solution of adding this configuration line:

AllowUsers [email protected] otherid1 otherid2

This allows some_user only from 192.168.12.10, and otherid1, otherid2 from anywhere.

Old answer

There is perhaps a simpler and safer way to restrict SSH access to only certain IP addresses on a machine.

/etc/hosts.allow

sshd,sshdfwd-X11: 192.168.12.10

/etc/hosts.deny

To refuse SSH connections from anyone not in the IP address listed:

sshd,sshdfwd-X11:ALL

Restrict SSH access by username (optional)

Edit /etc/ssh/sshd_config and add the following:

PermitRootLogin no
AllowUsers      user1 user2 user3 etc
PasswordAuthentication yes

Restart the ssh daemon for these changes to take effect

service sshd restart
Improve this answer
4
  • Thanks, but this sftp server is intended for several users (all of them allowed from any ip), and I only need the restriction for one of them. Thanks again.
    – tapp
    Commented Apr 29, 2021 at 12:52
  • This can be done by one line: AllowUsers [email protected] otherid1 otherid2, to allow some_user only from 192.168.12.10 and otherid1, otherid2 from anywhere.
    – harrymc
    Commented Apr 29, 2021 at 13:20
  • Thanks! It is working now. That's what I needed.
    – tapp
    Commented Apr 29, 2021 at 14:56
  • Done, sorry. Thanks.
    – tapp
    Commented May 4, 2021 at 6:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .