How to limit SSH access for one account to only 2 addresses?

[Woefdram]

My monitoring system uses SSH to do its business. I want the managed servers to only accept this login from 2 addresses: the IPv4 and IPv6 address of my monitoring server. Seems simple, but I can't figure out how to make that work.

I've seen several threads about exactly this, such as this one, and I studied the manpage. What I think I should do, is tell SSH to deny this user if he's not coming from either of these 2 addresses.

These are the last lines in my sshd_config:

Code: Select all

Match Address !12.23.45.78
  DenyUsers nagios
Match Address !11:22:44:55::1
  DenyUsers nagios

But it doesn't seem to do a thing, because nagios can still login from any address.

Or it could even be simpler, without any Match element:

Code: Select all

DenyUsers nagios@!12.23.45.78 nagios@!11:22:44:55::1

Same result: nagios can login from anywhere. So I tried it the other way around: first denying access and then allowing for the 2 addresses:

Code: Select all

DenyUsers nagios

Match Address 12.23.45.78
  AllowUsers nagios

Match Address 11:22:44:55::1
  AllowUsers nagios

But now nagios can't login from any address. Moving the top line to the bottom doesn't change it either. Whatever I try, nagios can either login from anywhere or nowhere at all.

I'm sure it's something small, but I can't figure out how to make this work.

Anyone?

[alan stone]

Did you restart the SSH daemon service with: # service ssh restart or # systemctl restart ssh ?

[Woefdram]

Of course I did, otherwise it wouldn't change between all or nothing

[ralph.ronnquist]

Presumably you've also verified that those IPv4/IPv6 addresses are the ones sshd sees.

It is confusing though, since your first code block should have resulted in always blocking out nagios, except if they always connected with those two addresses concurrently ... or maybe there's a more advanced logic behind it; one that considers or ignores match blocks based on the traffic protocol.

Otherwise, I think it should be a single match block including both the addresses, such as:

Code: Select all

Match Address !12.23.45.78,!11:22:44:55::1
    DenyUsers nagios

to make the "deny" apply when the input is neither that IPv4, nor that IPv6. As separate match blocks (i.e., your first code block), the tests would apply separately. Thus, as a disjunction rather than conjunction.

But given your test results, I wouldn't think this works either, and there's something else at play.

[Woefdram]

Yeah, the IPv4 is my external IP at home (my monitoring server is behind a NAT box). The IPv6 address is the other one, there's no NAT involved there of course. And when I log in, those are the addresses I see with "who --ips".

I'm pretty sure I tried the code you posted before, but just to make sure, I tried it again: nagios can login from anywhere...

What do you mean by connected concurrently?

[ralph.ronnquist]

What do you mean by connected concurrently?

I meant that the connection identified using both IPv4 and IPv6 at the same time. It can't of course, so please just ignore.

There is this bug report from many, many moons ago about match patterns being required to include a positive component in order to work. I.e., just negative addresses didn't work. You would try that by adding ,* to the IP list.

Code: Select all

Match Address !12.23.45.78,!11:22:44:55::1,*
    DenyUsers nagios

[alan stone]

...otherwise it wouldn't change between all or nothing

I was aware of that. However, as your post didn't mention which debian version you're running and the article referred to only included the first restart instruction, I was wondering which one you used and asked.

[Woefdram]

There is this bug report from many, many moons ago about match patterns being required to include a positive component in order to work. I.e., just negative addresses didn't work. You would try that by adding ,* to the IP list.

Code: Select all

Match Address !12.23.45.78,!11:22:44:55::1,*
    DenyUsers nagios

Thanks, that did the trick! I don't fully understand what happens here, but at least ssh finally does what I want it to.

If at least one positive component must be present, then this should work:

Code: Select all

DenyUsers nagios
Match Address 12.23.45.78,11:22:44:55::1
  AllowUsers nagios

But it doesn't. So I still don't really understand what's going on, but at least the negations+wildcard works.

[Woefdram]

...otherwise it wouldn't change between all or nothing

I was aware of that. However, as your post didn't mention which debian version you're running and the article referred to only included the first restart instruction, I was wondering which one you used and asked.

Always good to ask if something's unclear. I'm on Debian Testing (Buster, atm), using OpenSSH 7.6p1.

I quoted only one of several threads I had seen. They all described almost exactly the same things, and I think I tried about every combination possible: edit sshd_conf, restart ssh, test, repeat. To no avail, until ralph shared his knowledge

[alan stone]

There is this bug report from many, many moons ago about match patterns being required to include a positive component in order to work.

That's fascinating! Patching a bug with a dose of optimistic autosuggestion.

... To no avail, until ralph shared his knowledge

Glad that worked out fine.