dropbear with PAM support - Unable to do ssh.
Sriram
sriram.ec at gmail.com
Wed May 10 01:08:28 AWST 2017
Hello,
I m facing a problem when I am trying to use dropbear with PAM support.
My requirement is to restrict certain users to do ssh only through certain
interfaces.
for ex: my board has 2 ip's 10.207.18.101/24 on eth0 and 10.207.118.101/24
on eth1.
dropbear server listens on port 22 on both of these interfaces. Given this
scenario, I want to restrict a particular user say "abc" to be able to do
ssh only through eth1 network.
like "abc" should be able to login from ip's like 10.207.118.102/24,
10.207.118.103/24 etc.,
I didnt find a way to do using only dropbear. So had to integrate dropbear
with PAM.
I applied this patch to dropbear-2016.74.tar.bz2
--- a/options.h
+++ b/options.h
@@ -213,10 +213,10 @@ If you test it please contact the Dropbear author */
/* This requires crypt() */
#ifdef HAVE_CRYPT
-#define ENABLE_SVR_PASSWORD_AUTH
+/*#define ENABLE_SVR_PASSWORD_AUTH*/
#endif
/* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH */
+#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH
Configured and compiled dropbear with PAM support.
I added below configuration files.
a. cat /etc/pam.d/sshd
auth required pam_unix.so
account required pam_access.so
b. cat /etc/security/access.conf
+ : root : ALL
+ : abc : 10.207.118.0/24
- : abc : 10.207.18.0/24
- : ALL : ALL
But with this configuration, abc is unable to login to the machine via
10.207.118.0/24 also.
Any idea on how to fix this one ?
Apologies if its not the right forum to ask this question.
Regards,
Sriram.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20170509/db356773/attachment.htm
More information about the Dropbear
mailing list