[svlug] SSH PAM and access control

[James Sparenberg]

On 05/17/2010 12:24 PM, David Rosenstrauch wrote:
> On 05/16/2010 08:25 PM, James Sparenberg wrote:
>    
>> All,
>>
>>       OK situation is.  We have a system that from the LAN on port 22 we
>> want to have "normal" ssh access.  (username and password)   However
>> from outside the LAN we want to limit it to a smaller subset of users,
>> and have these users access by ssh-key pair only.
>>
>>
>>       What I have done is setup a second ssh daemon running on say port
>> 2222, that operates via key pair only.  What I'm having trouble with is
>> figuring out how to configure PAM or other access control that allows
>> for each of these ssh daemons to operate independently.  Unfortunately
>> they both seem to come back to the same PAM parameters and it doesn't
>> allow for access control by port only by system.
>>
>>      Has anyone out there ever set something up that meets these needs, or
>> am I just going to have to put the sshkey version on a VM and run from
>> there?
>>
>> James
>>      
> Any particular reason you wouldn't want to set up a vpn for this?
>
> DR
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>
>    
Actually yes.  We've a couple of users (outside the US) who's ISP blocks 
connectivity to all VPN channels (Ike PPTP etc) systems.  However they 
don't block an ssh VPN tunnel (since they probably don't know what it 
is.) and this is to be used to create that kind of VPN.