I must allow SSH because I'm building a headless server but I want to restrict SSH to two accounts. One will be allowed to SSH in from anywhere, but the other is to only be allowed in from within my local private network (192.168.x.x or 10.x.x.x, etc). I want to also restrict the second account to using a public key, but I'm not sure how to set that up for Windows/Putty yet so I'll be researching that after this. For now I'm focusing on limiting per IP address.
I know I can set which accounts can log in via SSH by editing /etc/ssh/sshd_config, and I have done that.
This link has some interesting info: http://yurisk.info/2011/04/05/two-tips- ... any-linux/
According to that page on a Checkpoint device you can do this:
Code: Select all
AllowUsers admin@123.123.123.10 admin@10.88.88.* yurisk
Code: Select all
AllowUsers publicaccount myaccount@10.x.x.*
FWIW, in the comments section of that page editing the “~/.ssh/authorized_keys” is also mentioned. I'm not sure if that's a better solution or not but it seems like it would be more labor intensive. If I do end up giving a family member access via SSH I'd have to edit multiple files whereas /etc/ssh/sshd_config would all be done in one file. Then again, if no users can edit other user's files then might ~/.ssh/authorized_keys be more secure?