/etc/pam.d/sshd
account  required     pam_access.so

/etc/security/access.conf

* first win

#       permission : users : origins

permission
+
_

users(list 來, 用空格分開的):
(wheel)
wheel

origins(list 來, 用空格分開的):
IP
host names
tty names(for non-networked logins)
ALL (always matches),
NONE (matches no tty on non-networked logins)
LOCAL (matches any string that does not contain a "." character)

Example:

# EXCEPT 用法
# Disallow non-root logins on console(tty1 - tty6)
- : ALL EXCEPT root : tty1 tty2 tty3 tty4 tty5 tty6

# User "root" should be allowed to get access from hosts with ip addresses(string matching).
+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
+ : root : 192.168.201.
- : root : ALL

# User "john" should get access from ipv4 net/mask
+ : datahunter : 192.168.123.0/24

 All other users should be denied to get access from all sources.
- : ALL : ALL
 

Test:

第一次入 PW

Nov 30 22:47:46 sshgw sshd[1879]: pam_access(sshd:account): access denied for user `datahunter' from `datahunter-pc.local'
Nov 30 22:47:46 sshgw sshd[1877]: error: PAM: User account has expired for datahunter from datahunter-pc.local

第二次入 PW

Nov 30 22:48:28 sshgw sshd[1877]: Failed password for datahunter from 192.168.123.21 port 3500 ssh2
Nov 30 22:48:28 sshgw sshd[1877]: fatal: Access denied for user tim by PAM account configuration [preauth]