There may be a much better way to do this (I have been known to come up with arcane--but effective--ways of doing things), but one idea is to edit /etc/bashrc (or the appropriate global rc file for whatever shell you choose for your users) and add a script that checks the username (using the output of a command such as whoami), then checks the IP currently being used by that user (this can be gleaned from the sshd log, if not from a more direct source?) against a list (maintained in a db just for fun) and immediately logs said user off if the IP doesn't match.
I wouldn't be surprised if this idea would also prove to be easily defeated. I'm no expert, just an idea guy. The suggestion that just came through as I was typing this about using certs is a much better suggestion, but I wanted to air my Rube Goldberg concept. :-) Cheers, ~Brian -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
