Open oppsig opened 3 years ago
Ok, so I did managed to find a workaround. I'll just post it here in case someone will find it useful.
I changed /etc/security/geoip.conf like this. user3 sshd allow *
Then appended this to sshd config.
AllowUsers user3@10.10.10.1 user1 user2
I guess this way it won't do geo filtering for the user3 user but I will still be able to control which connections will make it threw with sshd.
Why not use pam_access (in addition to pam_geoip)?
Read: man access.conf man pam_access
This is how PAM works, its modular. You just add a module in PAM service file and it does its magic.
And then pam_geoip does Geolocation check and pam_access does IP checks. Avoiding code duplication in two modules.
Your geoip.conf file will have: (just like you said) user3 sshd allow *
Your access.conf will have: +:user3:10.10.10.1 -:user3:ALL
Hmm I actually tried that earlier but didn't get it to work. Added +:user3:10.10.10.1, but didn't add the -:user3:ALL though, and didn't have any AllowedUsers entry. But will try again later and report back, might have had a typo or something, thanks for the tip! @amishmm😊
@amishmm ok, I didn't have "account required pam_access.so" uncommented in /etc/pam.d/sshd so that why it probably didn't work. Just wondering does it give any benefits to having pam_access.so manage this instead of in the /etc/ssh/sshd_config with AllowedUsers?
In my case, instead of putting pam_access.so in /etc/pam.d/sshd, I have put it in top level pam file (like system-remote-login).
So then same policy applies to not just sshd but also for services like dovecot, httpd, ftpd. i.e. I dont have to configure each services. So thats the benefit of using PAM instead of sshd_config.
@amishmm oh, excellent. Thanks!
Would it be possible to allow entering ip's in /etc/security/geoip.conf For example running a wireguard server on interface with ip address 10.10.10.2. Then connecting over ssh via the tunnel from ip address 10.10.10.1. So when i connect it sets 10.10.10.1 to UNKNOWN and connections is rejected.
I guess I could enter that ip into the db DAT file and add a country to it but that file is managed by the repository, and I can't load an additional db file right?
Here is en example of what i was thinking.
Thanks.