能否如此限定 ssh?
- 自由建客
- 帖子: 13468
- 注册时间: 2008-07-30 23:21
- 系统: Debian stable AMD64
能否如此限定 ssh?
要 root 只能从 eth1 登录,但其余帐户可从 eth0 登录。
-
- 论坛版主
- 帖子: 18279
- 注册时间: 2009-08-04 16:33
Re: 能否如此限定 ssh?
可以把這些條件寫在 SSH Server 端的 authorized_keys要 root 只能从 eth1 登录,但其余帐户可从 eth0 登录。
細節參閱
http://man.he.net/man5/authorized_keys
added to the per-user file
- susbarbatus
- 帖子: 2966
- 注册时间: 2010-04-10 16:14
- 系统: Arch Linux
- 自由建客
- 帖子: 13468
- 注册时间: 2008-07-30 23:21
- 系统: Debian stable AMD64
Re: 能否如此限定 ssh?
懂洋文真好,机器翻译还是不行AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
-
- 论坛版主
- 帖子: 18279
- 注册时间: 2009-08-04 16:33
Re: 能否如此限定 ssh?
提供一個例子
http://troy.jdmz.net/rsnapshot/
寫在 authorized_keys
Restricting The Key :
2. /home/remoteuser/cron/validate-rsync 連線後先執行這個檔案
3. 限於使用者 root@localhost.example.com
http://troy.jdmz.net/rsnapshot/
寫在 authorized_keys
Restricting The Key :
1. from="10.1.1.1" 只限 從 10.1.1.1 連線from="10.1.1.1",command="/home/remoteuser/cron/validate-rsync" ssh-dss AAAAB3Nza
... 中間省略
j2yBgN5cy8arlZ80q1Mcy763RjYGkR/FkLJ611HWIA= root@localhost.example.com
2. /home/remoteuser/cron/validate-rsync 連線後先執行這個檔案
3. 限於使用者 root@localhost.example.com