From owner-freebsd-security@FreeBSD.ORG  Thu Oct  7 17:53:05 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A35AA16A4CE
	for <freebsd-security@freebsd.org>;
	Thu,  7 Oct 2004 17:53:05 +0000 (GMT)
Received: from zephon.secspace.de (zephon.secspace.de [62.75.136.210])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3769343D5C
	for <freebsd-security@freebsd.org>;
	Thu,  7 Oct 2004 17:53:05 +0000 (GMT)	(envelope-from ml@ps102.de)
Received: from ariel.office.volker.de (pD95223CB.dip.t-dialin.net
	[217.82.35.203])
	by zephon.secspace.de (Postfix) with ESMTP id 664A66EB20
	for <freebsd-security@freebsd.org>;
	Thu,  7 Oct 2004 19:53:02 +0200 (CEST)
Date: Thu, 7 Oct 2004 19:54:17 +0200
From: Volker Kindermann <ml@ps102.de>
To: freebsd-security@freebsd.org
Message-ID: <20041007195417.430a8b5c@ariel.office.volker.de>
In-Reply-To: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com>
References: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com>
X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i386-portbld-freebsd5.2.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: Question restricting ssh access for some users only
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2004 17:53:05 -0000

Hi Jim,


> I've used ssh as a secure telnet up to now but done little else with
> it. The FreeBSD machines I look after on our internet-facing network
> all have one account which I connect to for administration. I've set
> up /etc/hosts.allow on all the machines to only allow ssh from a
> limited internal network range.
> 
> Now I want to create a new account on one machine which will be
> accessible from the Internet as a whole, to be used for tunnelling of
> SMTP and POP3. I can't predict what the client IP address will be so I
> will have to remove the hosts.allow restriction.

have you considered the "AllowGroups" and "AllowUsers" directives of sshd_config? They should provide exact the functionality that you want.

 -volker