LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-12-2011, 07:08 AM   #1
Fracker
Member
 
Registered: Mar 2009
Posts: 86

Rep: Reputation: 0
[SSH] User Disallow from all hosts except one


Hi,

I have a requirement to implement SSH Services in a way, oracle user should be disallowed from everywhere other then one host. While no restrictions for other users.

I worked with DenyUsers, but it disallow oracle logins from all hosts.
 
Old 04-12-2011, 09:13 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
I would *strongly* suggest that you don't deal with this at ssh level, but use tcpwrappers by editing /etc/hosts.allow and /etc/hosts.deny.

so in hosts.allow:
Code:
sshd : oracle@host
And in hosts.deny:
Code:
sshd : oracle@*
should, AFAIK, only allow oracle from that one host within ssh but not affect anything else whatsoever. Plenty of flexibility in tcpwrappers if you want it, but I think that does what you ask for.

Last edited by acid_kewpie; 04-12-2011 at 09:14 AM.
 
Old 04-13-2011, 12:48 AM   #3
Fracker
Member
 
Registered: Mar 2009
Posts: 86

Original Poster
Rep: Reputation: 0
Thanks, I have just tried your suggestion. After adding the entries i don't see any ristriction. I also restarted the network service, ssh service but nothing happened. Do i need to restart something else as well?
 
Old 04-13-2011, 01:02 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
acid_kewpie's suggestion should work.
Can you post your hosts.allow & hosts.deny files and sshd_config?
Personally I prefer to put
Code:
ALL : ALL
in hosts.deny and only add stuff to hosts.allow where reqd. You may have some unusual requirements that need a more complex hosts.deny, but it's rare.
 
Old 04-13-2011, 07:06 AM   #5
Fracker
Member
 
Registered: Mar 2009
Posts: 86

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
acid_kewpie's suggestion should work.
Can you post your hosts.allow & hosts.deny files and sshd_config?
Personally I prefer to put
Code:
ALL : ALL
in hosts.deny and only add stuff to hosts.allow where reqd. You may have some unusual requirements that need a more complex hosts.deny, but it's rare.
so what should i use instead of sshracle@* ?
 
Old 04-13-2011, 07:09 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
well that would be ALL : ALL as per the post, but that will mean no other users will be able to ssh in from anywhere, but the point then would be to go back to hosts.allow and put more specific allows in there.
 
Old 04-14-2011, 02:40 AM   #7
Fracker
Member
 
Registered: Mar 2009
Posts: 86

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
well that would be ALL : ALL as per the post, but that will mean no other users will be able to ssh in from anywhere, but the point then would be to go back to hosts.allow and put more specific allows in there.
so we are back on step 1. as others will also be blocked..
 
Old 04-14-2011, 02:57 AM   #8
Gershon K.
LQ Newbie
 
Registered: Apr 2011
Location: Galille
Distribution: Centos
Posts: 4

Rep: Reputation: 0
Why not use iptables?
 
Old 04-14-2011, 03:03 AM   #9
venikathir
LQ Newbie
 
Registered: Apr 2011
Location: Bangalroe-India
Distribution: Redhat EL5
Posts: 24

Rep: Reputation: 1
comparatively tcp wrapper is best for you qury
 
Old 04-14-2011, 05:02 AM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
You can use the EXCEPT keyword. This is from the "man 5 hosts_access" man page:
Code:
       The explicitly authorized hosts are listed in the allow file.  For example:

       /etc/hosts.allow:
          ALL: LOCAL @some_netgroup
          ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
So you could use sshd: ALL EXCEPT oracle@ALL

--
sorry, I forgot you wanted oracle at one host permission.
Would
/etc/hosts.deny
sshd: oracle@ALL EXCEPT oracle@<allowed_host>

work for you?

Last edited by jschiwal; 04-14-2011 at 05:05 AM.
 
Old 05-09-2011, 03:45 AM   #11
Fracker
Member
 
Registered: Mar 2009
Posts: 86

Original Poster
Rep: Reputation: 0
Nope that also not working, i guess i would have to use something else to tackle this ..

Thanks everyone
 
Old 05-09-2011, 04:00 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Quote:
Originally Posted by Fracker View Post
Nope that also not working, i guess i would have to use something else to tackle this ..

Thanks everyone
No, you're doing it wrong if it's not working. or OpenSSH is compiled without tcpwrappers, which is pretty unlikely.
 
Old 05-09-2011, 06:07 AM   #13
Fracker
Member
 
Registered: Mar 2009
Posts: 86

Original Poster
Rep: Reputation: 0
Quote:
[root@backup01 ~]# strings $(which sshd)| grep libwrap
libwrap.so.0
libwrap refuse returns
[root@backup01 ~]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

sshd: user@ALL EXCEPT user@xx.x.xx.xxx
Just removed IP and Username here
 
Old 05-09-2011, 07:26 AM   #14
djsmiley2k
Member
 
Registered: Feb 2005
Location: Coventry, UK
Distribution: Home: Gentoo x86/amd64, Debian ppc. Work: Ubuntu, SuSe, CentOS
Posts: 343
Blog Entries: 1

Rep: Reputation: 72
erm or you could setup sshd properly. xD

/etc/ssh/sshd_config

Code:
# Example of overriding settings on a per-user basis
#Match User oracle
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
AllowUsers oracle@123.123.123.10
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Allow ssh tunnel but disallow shell jago25_98 Linux - Server 3 03-14-2011 10:18 AM
Disallow new ssh connections for a while ? Vilius Linux - General 1 01-06-2011 07:44 AM
How to disallow user to login as root? your_shadow03 Linux - Newbie 16 10-12-2009 12:39 PM
How do I disallow ssh login by root? Seventh Linux - Newbie 1 03-26-2005 11:30 AM
disallow ssh root login only from internet wensveen Linux - Security 10 03-21-2005 08:34 AM


All times are GMT -5. The time now is 11:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration