1

I need to restrict connections to an openssh server to only three or four IP addresses. I know I can, on the CentOS 7 and Oracle Linux boxes, use firewalld or TCP wrappers. However, some of the servers on the network do not support firewalld or have a build of openssh that doesn't include libwrap.so. Those need an ssh solution.

I've tried different variations such as these but, so far, I either get locked out completely or anyone can get in.

Match Address !10.222.79.74,!10.222.79.75,!172.23.10.22,!10.217.184.58
  DenyUsers *@*

DenyUsers *@*

Match Address 10.222.79.74,10.222.79.75,172.23.10.22,10.217.184.58
  AllowUsers @

Is there a way to do this?

OK, I am officially a DA.

I set the log level to debug and, from looking at the most recent login, I realized I was testing from one of the IPs on the allowed list. I tried it from a different client and the following works as expected.

Match Host *,!10.222.79.74,!10.222.79.75,!172.23.10.22,!10.217.184.58
  DenyUsers *

Apologies for wasting your time.

scarville
  • 51

1 Answers1

1

According to sshd_config man page (OpenSSH_8.0p1):

For each keyword, the first obtained value will be used.

So I guess the first example looks like the correct one.

Please note: I have strong feeling this changed recently (from the LAST value to be used) so please check your man pages. And (as I just checked it) it doesn't look like it is working as described so you may have to experiment.

Tomek
  • 3,776