24 Sep
2003
24 Sep
'03
13:56
--> There is also a "Hosts" directive to restrict logins to specific IP addresses. It is not documented and when I tried it (on a box running OpenSSH_3.4p1) sshd start failed, complaining about the Hosts directive (perhaps I formatted it incorrectly).
I did get it working with the AllowUsers directive: AllowUsers *@*.my.domain Using this method I find that it still gives the user a login prompt (but always rejects their login unless they are within *.my.domain). Assuming I can trust all machines in *.my.domain, will this actually protect from the vulnerability? At what point in the connection process does the exploit occur - presumably prior to login? -- Simon Oliver