LinuxQuestions.org - Disable telnet and ssh for a specific user

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Disable telnet and ssh for a specific user (https://www.linuxquestions.org/questions/linux-newbie-8/disable-telnet-and-ssh-for-a-specific-user-843962/)

krisr

11-12-2010 04:36 PM

Disable telnet and ssh for a specific user

I am looking for a way to deny telnet and ssh to one specific user. So far I've only tested with telnet and my attempts have been limited to various hosts.deny entries:

in.telnetd : user@server
in.telnetd : user@server.domain.com
in.telnetd : user@IP_address
in.telnetd : user@.domain.com

None of these work. The only thing I've found that does work is:
in.telnetd : IP_address

But this is only a semi-viable solution because we will soon have multiple logins for the one username from different servers and sub-nets. Ideally, I'd like to be able to deny telnet and ssh access to this username regardless of where the login originates. I suppose it would be possible to specify each server IP, but that'll be a bear to maintain. Thanks in advance!

The platform is RHEL 5 32-bit; kernel is 2.6.18-164.6.1.el5.

pljvaldez

11-12-2010 04:43 PM

Can you just change that users shell to /dev/null or /bin/false? Or do they need local login access?

honeybadger

11-12-2010 04:53 PM

Just adding to the previous posts - put /bin/bash -r.... else I think making some changes to the .bashrc would make this possible. I think someone might need to explain this out in detail.
Hope this helps.

krisr

11-16-2010 09:29 AM

The user does need to login with FTP and I don't know without testing how the shell change to /dev/null or /bin/false would affect that. Thanks much for your input!

Hangdog42

11-16-2010 11:37 AM

I shutting down telnet entirely an option? It is pretty redundant with SSH and you sure don't want to expose telnet to the Internet. As for SSH, look into using the DenyUsers option, or better yet the AllowUsers option, in sshd_config. The latter specifies who can log in, and if you're not on the list, you don't get to use SSH.

frieza

11-16-2010 12:02 PM

the shell you would use is /usr/sbin/nologin or /sbin/nologin, this is considered a 'valid' shell which wont trigger errors, you would put this in the shell part of /etc/passwd

Code:

[user]:x:[uid]:[gid]::/var/run:/usr/sbin/nologin

of course

Code:

[user]:x:[uid]:[gid]::/var/run:/bin/false

works too
ubuntu does that by default for it's service users (values in [] are generalized for reference only and should be left alone)

Tinkster

11-16-2010 12:22 PM

To add to the posts above: I'd disable telnet all together, and
(assuming you're using openSSH >= 5.x create a chroot jail for
the user .... that way they can only sftp to the machine.

Cheers,
Tink

mahu_mahu

11-17-2010 08:40 AM

How about to this?
1. Create a group (e.g. ordinary)
2.Change the permission of telnet and ssh command so that only users who are in the group (e.g. ordinary) can run those commands.
3.All users except that one user are belong to the group (e.g. ordinary).
4.On every update of telnet and ssh , you have to change the permisson of telnet and ssh command.(And every upgrade of your os: every reinstallation of your os, you have to do this setting.)

All times are GMT -5. The time now is 08:46 PM.