This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:
add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).
Using your example, I'd use iptables to expressly block Alice's SSH access and to accept SSH traffic from Bob's IP address. From the command line, you'd need to enter something like the following (or script it):
Allow Bob's IP (192.168.1.100) to SSH to the default port (22)
$ sudo iptables -I INPUT -s 192.168.1.100 -p tcp -m tcp --dport 22 -m comment --comment "Allow Bob to SSH" -j ACCEPT
And block Alice's SSH access
$ sudo iptables -I INPUT -s 10.1.0.200 -p tcp -m tcp --dport 22 -m comment --comment "Block Alice from using SSH to login" -j DROP
To unblock Alice, you'd use iptables command with the --list and --line-numbers options to find the line containing her IP address and then delete the line from the table:
$sudo iptables -L --line-numbers | grep 10.1.0.200
num target prot opt source destination
1 DROP tcp -- 10.1.0.200 anywhere tcp dpt:ssh /* Do not allow Alice to SSH in */
$ sudo iptables -D INPUT 1
or, to do the same with a single command:
$ sudo iptables -L --line-numbers | grep "10.1.0.200" | awk '{print $1}' | xargs -i iptables -D INPUT {}
And use the same command, substituting Alice's IP with Bob's to remove the explict "Allow" rule for Bob's IP.
I'll leave the scripting to you. Let me know if you'd like thoughts on how you'd best enable the 10 minute timer thing.
Best Answer
/etc/security/limits.conf
, at least on Debian. Path may vary a little by distro. There is an example in the file to limit all members of thestudent
group to 4 logins (commented out):You could do
*
instead of a group, but make sure not to hit users you don't want to limit (e.g., a staff member)