Today, the head let me do one thing, is to limit the server test users can only from the company intranet landing, not from the public network. I think about it, I think the use of Pam can be very good implementation, the following list my steps:
The first step, edit the/etc/pam.d/sshd, add the following content
Account required pam_access.so
after joining is as follows:
auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth account required pam_access.so password required pam_stack.so service=system-auth session required pam_ stack.so service=system-auth session required pam_loginuid.so
Exit save.
Second step: Edit/etc/security/access.conf, add a line-:test:all EXCEPT 192.168.1 in the tail line.
To explain, "-" means to deny "test" is the username, "All" is all, "EXCEPT 192.168.1." It means to exclude 192.168.1 this network segment, need to pay attention to is 192.168.1. The last of this "." Be sure to add Oh!
Also to add the appropriate permissions for each user, or even the root user, some permissions will be disabled, such as CRONTAB-E permissions.
+: Root:cron crond:0 tty1 tty2 tty3 tty4 tty5 tty6+: Userx:cron crond:0 tty1 tty2 tty3 tty4 tty5 tty6
Modify Port number: Vim/etc/ssh/ssh_config
Vim/etc/ssh/sshd_config
modify port in two files this configuration item
Step Three: Restart the sshd service to
Service sshd Restart
But it still doesn't work, and the result is that Pam No in/etc/ssh/ssh_config is changed to Pam Yes
This article is from the "Wang Xiao Acid" blog, please be sure to keep this source http://wangaimin.blog.51cto.com/8499946/1905835
Linux Fixed user access IP restrictions