Hello, I m facing a problem when I am trying to use dropbear with PAM support.
My requirement is to restrict certain users to do ssh only through certain interfaces. for ex: my board has 2 ip's 10.207.18.101/24 on eth0 and 10.207.118.101/24 on eth1. dropbear server listens on port 22 on both of these interfaces. Given this scenario, I want to restrict a particular user say "abc" to be able to do ssh only through eth1 network. like "abc" should be able to login from ip's like 10.207.118.102/24, 10.207.118.103/24 etc., I didnt find a way to do using only dropbear. So had to integrate dropbear with PAM. I applied this patch to dropbear-2016.74.tar.bz2 --- a/options.h +++ b/options.h @@ -213,10 +213,10 @@ If you test it please contact the Dropbear author */ /* This requires crypt() */ #ifdef HAVE_CRYPT -#define ENABLE_SVR_PASSWORD_AUTH +/*#define ENABLE_SVR_PASSWORD_AUTH*/ #endif /* PAM requires ./configure --enable-pam */ -/*#define ENABLE_SVR_PAM_AUTH */ +#define ENABLE_SVR_PAM_AUTH #define ENABLE_SVR_PUBKEY_AUTH Configured and compiled dropbear with PAM support. I added below configuration files. a. cat /etc/pam.d/sshd auth required pam_unix.so account required pam_access.so b. cat /etc/security/access.conf + : root : ALL + : abc : 10.207.118.0/24 - : abc : 10.207.18.0/24 - : ALL : ALL But with this configuration, abc is unable to login to the machine via 10.207.118.0/24 also. Any idea on how to fix this one ? Apologies if its not the right forum to ask this question. Regards, Sriram.