Emerson Farrugia wrote:
> The configuration most likely to succeed that I've tried so far is
> AllowGroups ssh lanssh@192.168.0.*


What authentication methods do you use? You could turn off all methods
and then selectively turn them back on using the match keyword eg:

# Only accept connections from users in ssh and lanssh groups
AllowGroups ssh lanssh

# Turn off all authentication methods so logins fail by default.
*** NB You'll need to fill this in ***

Match Group ssh
# Turn on authentication methods allowing ssh group to login anywhere.
*** NB You'll need to fill this in ***

Match Address 192.168.0.*
# Turn on authentication methods - allowing all others to login only
# if on local network.
*** NB You'll need to fill this in ***


Or what about using PAM?

# PAM needed to implement restrictions.
UsePAM on

And then add the following to the pam sshd file (Often /etc/pam.d/sshd):

account required pam_access.so accessfile=/etc/security/sshd.conf

Then create /etc/security/sshd.conf with the following:

- : ALL EXCEPT ssh lanssh:192.168.0.0/24

(^^ You should double check this).

This should deny all users, except the ssh group and the lanssh group if
logged in through 192.168.0.0/24.


Finally, you could alternatively patch the sshd source so that the match
keyword extends to AllowGroups. Then you could use something like:

Allowgroups ssh

Match Address 192.168.0.*
Allowgroups lanssh


Personally, I feel that the PAM option is the best and easiest to
implement and maintain (assuming you have it on your system).

Take care,

Ben