Thanks Steve. I've just tested your solution and it's working fine. I invoked a second instance of sshd using a different configuration file, i.e.
ssh -f /etc/ssh/sshd_conf-internal which binds to port 22 all allows all users to login. The (original) file /etc/ssh/sshd_conf binds to 1022, and is exposed to the public internet - but restricts access based on AllowGroup. The server has a single NIC - but, as you say, it's no problem using different ports. Thanks to the other authors who have replied. Regards Patrick Rynhart. Steve Suehring wrote: > I would likely restrict access to ssh from external, if at all possible. > I realize that this isn't always possible but it should be possible to > at least narrow down access to certain IP ranges. > > For this particular problem I'm assuming there are two NICs in the > computer, one with an IP in private space and the other with a public > address? One idea is to bind two SSH daemons, one for each NIC. Place > no AllowGroups restriction on the internal SSH daemon. This means > that all users can connect internally. On the SSH daemon bound > externally place the AllowGroups restriction to restrict access to > members of that group. > > If there's only one NIC in the computer then you could still use two SSH > daemons, just bind them to different ports. The internal port might be > the standard tcp/22 whereas externally you would bind tcp/2222 or > something. Then firewall off the access to port 22 from externally so > that the internal-use daemon can't be accessed. > > Hope that helps. I'm sure others will have ideas too. > > Steve > > > On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote: > > I have an server running sshd on Sarge. I want all users to be able to > > access the computer from within the internal network - but restrict > > access from the internet (to users in a particular group). Can this be > > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and > > the AllowGroup (or AllowUsers) options in sshd configuration file. > > > > If so, how ? > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]