I would like to allow ssh access from=20
1) anyone on the 192.168.1.0/24 network
or
2) anyone on a list of users.

If someone meets either of these criteria, they can log in.

The goal is to block everyone except a small list of trusted souls from =
accessing the linux system when they are out of the building. As long as =
you are in the building and have a username and password, you can log =
in.

If they meet these criteria, they still have to log in.

The default ssh file in pam.d uses auth required pam_listfile.so to =
block the root user.

It seems that I can reverse the sense from sense=3Ddeny to sense=3Dallow =
and replace root with all of the legal remote users in the file.

It also seems that I can allow people from 192.168.1.0/24 using =
pam_listfile with item=3Drhost.
I do not have an example of what the file looks like.
I would like it to look like this:
192.168.1..0/24

The only ?working? version looks like
host.domain.com=20

I then want the user to be required to login with a valid Active =
Directory username. I already have that working with windbind.
pam_stack.so service=3Dsystem-auth (I renamed the winbind service to =
system-auth to aviod having to change every pam file.)

I am a bit unclear about what ssh does with=20

auth required pam_stack.so service=3Dsystem-auth
auth required pam_nologin.so
account required pam_stack.so service=3Dsystem-auth
password required pam_stack.so service=3Dsystem-auth
session required pam_stack.so service=3Dsystem-auth

There seems to be some duplication - everyone calls pam_stack.so exactly =
the same way.


I have something like this in the pam.d/ssh file
#block root
auth required pam_listfile item=3Duser sense=3Ddeny =
file=3D/etc/ssh/denyusers
# basic requirement of a username and password
auth required pam_stack.so service=3Dsystem-auth
auth required pam_nologin.so

# Ok so they have the keys; but are they in the right places
#allow the chosen people no matter from where
account sufficient pam_listfile item=3Duser sense=3Dallow =
file=3D/etc/ssh/allowusers
#allow the riff-raff as long as they are at work
account required pam_listfile item=3Drhost sense=3Dallow =
file=3D/etc/ssh/allow192
account required pam_stack.so service=3Dsystem-auth ---- This looks =
redundant

password required pam_stack.so service=3Dsystem-auth --- ????

session required pam_stack.so service=3Dsystem-auth --- ????


Using the above pam.d/sshd file I can log in if I am on the list of =
God's chosen but the others can not get in unless I have listed the =
fully qualified host name in allow192.

Is there some way to have the IP address range used instead of the host =
name.

Ron