Emerson Farrugia wrote:
> The configuration most likely to succeed that I've tried so far is
> AllowGroups ssh lanssh@192.168.0.*

What authentication methods do you use? You could turn off all methods
and then selectively turn them back on using the match keyword eg:

# Only accept connections from users in ssh and lanssh groups
AllowGroups ssh lanssh

# Turn off all authentication methods so logins fail by default.
*** NB You'll need to fill this in ***

Match Group ssh
# Turn on authentication methods allowing ssh group to login anywhere.
*** NB You'll need to fill this in ***

Match Address 192.168.0.*
# Turn on authentication methods - allowing all others to login only
# if on local network.
*** NB You'll need to fill this in ***

Or what about using PAM?

# PAM needed to implement restrictions.
UsePAM on

And then add the following to the pam sshd file (Often /etc/pam.d/sshd):

account required pam_access.so accessfile=/etc/security/sshd.conf

Then create /etc/security/sshd.conf with the following:

- : ALL EXCEPT ssh lanssh:

(^^ You should double check this).

This should deny all users, except the ssh group and the lanssh group if
logged in through

Finally, you could alternatively patch the sshd source so that the match
keyword extends to AllowGroups. Then you could use something like:

Allowgroups ssh

Match Address 192.168.0.*
Allowgroups lanssh

Personally, I feel that the PAM option is the best and easiest to
implement and maintain (assuming you have it on your system).

Take care,