I am pretty sure this can be done using PAM (ie pam_access.so and /etc/security/access.conf) but this was originally under a unix that didn't support PAM (but had its own framework.)
# @(#) /etc/ssh/sshd_config DenyUsers root postfix # Match criteria are ANDs # eg Match Address 188.8.131.52 User teredo # means match User teredo from 184.108.40.206 Match Address 10.0.0.0/8 #.. Match Address 172.16.0.0/12 #.. Match Address 192.168.0.0/16 # .. Match Group ssh_access # ..
I wanted to deny some users outright, permit the rest access from the local network and some users (specified in a unix group) unrestricted access. eg
# @(#) /etc/ssh/sshd_config # ... # >> This does *not* work << -- See sshd_config(5) DenyUsers root postfix AllowUsers *@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16 AllowGroups ssh_access
Looking at the code in auth.c it turns out that modifying this without doing too much violence to the original is fairly straight forward.
# @(#) /etc/ssh/sshd_config # Turn on alternate policy otherwise business as usual. AlternateAllowPolicy yes # What do we do if we don't allow or deny a user explicitly? AllowByDefault no DenyUsers root postfix AllowUsers *@10.0.0.0/8 *@172.16.0.0/12 *@192.168.0.0/16 AllowGroups ssh_access
The patch in files/ is against openssh 5.9p1 but the code in the affected files (auth.c, servconf.c, servconf.h) has remained substantially unchanged from 5.8p1.
Unpack the openssh-5.9p1 tarball, apply the patch, configure with
usual switches appending:
./configure --prefix=/opt/openssh-5.9 --sysconfdir=/etc/openssh-5.9\ --with-cppflags="-DALTERNATE_AUTH_POLICY=1"
LICENSE for patch only
Creative Commons CC0 http://creativecommons.org/publicdomain/zero/1.0/legalcode