LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-01-2006, 01:47 AM   #1
booga
LQ Newbie
 
Registered: Jul 2003
Distribution: slack
Posts: 15

Rep: Reputation: 0
2 part question for a noob


OS Slackware 10.x -

Is there a way to configure a user so login can only be from the LAN.

Limit to IP range same as the router


How much access does an user have on SSH? Is there a way to configure limited access?

This is what I am looking for:

Limited to not be able to browse folders outside their home folder.
Specify access to specific folders to allow viewing of logs.


Thank you!

* I just realized that this is my first post, and I have been registered since July 2003.

Last edited by booga; 05-01-2006 at 01:58 AM.
 
Old 05-01-2006, 05:00 AM   #2
Ynot Irucrem
Member
 
Registered: Apr 2005
Location: Perth, Western Australia
Distribution: Debian
Posts: 233

Rep: Reputation: 30
Quote:
Is there a way to configure a user so login can only be from the LAN.
To login from outside the LAN, you would have to specifically forward port 22 on your router, so by default no-one from the outside can log in.

Quote:
How much access does an user have on SSH? Is there a way to configure limited access?
It's as if the user is sitting at the keyboard, they have all the rights they would normally have. To configure limited access, you could just create a user with that limited access.
 
Old 05-01-2006, 11:20 AM   #3
ioerror
Member
 
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536

Rep: Reputation: 30
Quote:
Limited to not be able to browse folders outside their home folder.
This is rather difficult on a unix system. You'd need a custom version of ls that refused pathnames outside the user's home directory (and custom versions of any other program that could list directories). You'd probably also need to remove any program that can run a shell (so most text editors are out etc).

Bash's restricted mode (-r) is a partial option but not a very good one. You have to use --norc otherwise the -r mode can be trivially circumvented with an e.g. 'exec zsh' at the end of the user's ~/.bashrc. But then users wouldn't be able to create their own aliases and so forth. I wouldn't like to be stuck in that environment. Less claustrophobic alternatives would be to use a chroot jail or user-mode-linux.

Last edited by ioerror; 05-01-2006 at 11:21 AM.
 
Old 05-02-2006, 02:39 AM   #4
booga
LQ Newbie
 
Registered: Jul 2003
Distribution: slack
Posts: 15

Original Poster
Rep: Reputation: 0
Thank you for the replies!


Quote:
Originally Posted by Ynot Irucrem
To login from outside the LAN, you would have to specifically forward port 22 on your router, so by default no-one from the outside can log in.
I am opening port 22 on the router for access from outside. I just want some usernames to be allowed this access. Some users tend to stick with passwords which are very simple. This is fine as long as I can prevent their accounts from being used outside of the LAN.
 
Old 05-02-2006, 04:23 AM   #5
ioerror
Member
 
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536

Rep: Reputation: 30
Quote:
I am opening port 22 on the router for access from outside. I just want some usernames to be allowed this access.
You can use the AllowUsers, DenyUsers, AllowHosts, and DenyHosts options (in /etc/ssh/sshd_config) for access control. Probably the easiest way is just to list the users you want to allow access to in AllowUsers. The syntax is just 'AllowUsers user1 user2 etc'. This will deny access to anyone not in the list. Alternatively, DenyUsers will reject only those users listed and so on.
 
Old 05-04-2006, 04:09 AM   #6
booga
LQ Newbie
 
Registered: Jul 2003
Distribution: slack
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by ioerror
'AllowUsers user1 user2 etc'. This will deny access to anyone not in the list.
Do I include root in the Allowusers list? Or is root ALWAYS allowed?
 
Old 05-04-2006, 04:38 AM   #7
ioerror
Member
 
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536

Rep: Reputation: 30
I believe that root access is handled separately to other users, via the PermitRootLogin option. This can have the values "yes", "no", "without-password", or "forced-commands-only". Yes and no are obvious, the others are explained in the sshd_config man page. Note, though, that it is generally discouraged to login directly as root, but rather to use a normal user account and su/sudo.
 
Old 05-05-2006, 02:45 PM   #8
booga
LQ Newbie
 
Registered: Jul 2003
Distribution: slack
Posts: 15

Original Poster
Rep: Reputation: 0
looked through the MAN pages for SSHD and did not find how to restart SSHD.

After making the changes on my test machine, it did not take effect until I restarted the computer. Unfortunately, the actual machine where it is needed can not be restarted at the moment.

Is there a way to restart SSHD without restarting the computer?
 
Old 05-05-2006, 03:02 PM   #9
tuxrules
Senior Member
 
Registered: Jun 2004
Location: Chicago
Distribution: Slackware64 -current
Posts: 1,144

Rep: Reputation: 56
Quote:
Originally Posted by booga
looked through the MAN pages for SSHD and did not find how to restart SSHD.

After making the changes on my test machine, it did not take effect until I restarted the computer. Unfortunately, the actual machine where it is needed can not be restarted at the moment.

Is there a way to restart SSHD without restarting the computer?
On Slackware, execute this command as root to restart sshd

Code:
/etc/rc.d/rc.sshd restart
Tux,
 
Old 05-05-2006, 11:56 PM   #10
booga
LQ Newbie
 
Registered: Jul 2003
Distribution: slack
Posts: 15

Original Poster
Rep: Reputation: 0
Thank you!

This forum kicks arse! Is there IRC for this forum?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
2 part question citrus Linux - Newbie 2 01-09-2005 09:03 PM
2 part question: Speeding up MDK9.1/GNOME question wardialer Linux - Newbie 6 10-14-2004 04:16 PM
Complete noob question from a noob noob_hampster Linux - Software 2 09-04-2003 01:03 AM
Two Part Question zuessh Linux - General 2 02-11-2003 02:03 PM
2 part question antken Linux - General 3 10-25-2002 08:52 AM


All times are GMT -5. The time now is 06:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration