How to deny a specific user access via SSH when connecting on a specific interface?

T

the_bizzon2016-04-12 18:21:04

linux

the_bizzon, 2016-04-12 18:21:04

Here is a question. There is a server with two interfaces (Ubuntu 14). One looks to the local network the other to the Internet. The server has 2 users admin and user . Worth SFTP. User must have access from the Internet to his folder via SFTP and not have access to the shell. Everything is set up and working fine.
But as a side effect, access from the Internet via ssh and sftp is also available from admin . I would like to close. If you add a line ListenAddress in /etc/ssh/sshd_config indicating the address of the local interface, then access from outside is closed, including for SFTP user , which is not good. If we formulate the task in short, then: It is required to prohibit
a specific user access via SSH when connecting on a specific interface. Any ideas?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

T

the_bizzon, 2016-04-12
@the_bizzon

Thanks to everyone for the advice, they pushed me to the right decision.
Actually the decision.
Everything is solved by editing the file /etc/ssh/sshd_config

Let's create a directive that allows the user user only SFTP and define a directory for it (I already had it)
Match User user
ChrootDirectory /ftp/user/
ForceCommand internal-sftp

Create a directive allowing SSH access to the admin user only if the client's ip address is in the range of local addresses
Match Address 192.168.0.0/24
AllowUsers admin
Maybe someone will come in handy.

L

Lynn "Coffee Man", 2016-04-12
@Lynn

man 5 sshd_config
DenyUsers etc.

3

3vi1_0n3, 2016-04-12
@3vi1_0n3

How do you like the idea of running two instances of sshd with different configs?
sshd -f config_file
And by the way, have you tried AllowUsers?