我读过它OpenSSH本身不支持authentication通过特定的IP address.在CentOS 7上的安装中web server,如何配置登录,以便用户不仅需要连接VPN以及正确的用户名和密码,而且还可以从特定列表之一进行连接authorized IP addresses?这可以用 来完成吗OpenSSH?是否可以在您建议的解决方案中添加其他类型的凭据作为要求?
我读这个帖子,但该方法似乎是报告未经授权的 IP 的访问,而不是简单地阻止未经授权的 IP。
如果可能的话,我想专注于自由软件。
答案1
看man sshd_config:
AllowUsers
This keyword can be followed by a list of user name patterns, separated by
spaces. If specified, login is allowed only for user names that match one of
the patterns. Only user names are valid; a numerical user ID is not recog‐
nized. By default, login is allowed for all users. If the pattern takes the
form USER@HOST then USER and HOST are separately checked, restricting logins
to particular users from particular hosts. The allow/deny directives are
processed in the following order: DenyUsers, AllowUsers, DenyGroups, and
finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
和man ssh_config:
PATTERNS
A pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that
matches zero or more characters), or ‘?’ (a wildcard that matches exactly one charac‐
ter). For example, to specify a set of declarations for any host in the “.co.uk” set
of domains, the following pattern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists
may be negated by preceding them with an exclamation mark (‘!’). For example, to
allow a key to be used from anywhere within an organisation except from the “dialup”
pool, the following entry (in authorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"