Disable telnet and ssh for a specific user
I am looking for a way to deny telnet and ssh to one specific user. So far I've only tested with telnet and my attempts have been limited to various hosts.deny entries:
in.telnetd : user@server in.telnetd : user@server.domain.com in.telnetd : user@IP_address in.telnetd : user@.domain.com None of these work. The only thing I've found that does work is: in.telnetd : IP_address But this is only a semi-viable solution because we will soon have multiple logins for the one username from different servers and sub-nets. Ideally, I'd like to be able to deny telnet and ssh access to this username regardless of where the login originates. I suppose it would be possible to specify each server IP, but that'll be a bear to maintain. Thanks in advance! The platform is RHEL 5 32-bit; kernel is 2.6.18-164.6.1.el5. |
Can you just change that users shell to /dev/null or /bin/false? Or do they need local login access?
|
Just adding to the previous posts - put /bin/bash -r.... else I think making some changes to the .bashrc would make this possible. I think someone might need to explain this out in detail.
Hope this helps. |
The user does need to login with FTP and I don't know without testing how the shell change to /dev/null or /bin/false would affect that. Thanks much for your input!
|
I shutting down telnet entirely an option? It is pretty redundant with SSH and you sure don't want to expose telnet to the Internet. As for SSH, look into using the DenyUsers option, or better yet the AllowUsers option, in sshd_config. The latter specifies who can log in, and if you're not on the list, you don't get to use SSH.
|
the shell you would use is /usr/sbin/nologin or /sbin/nologin, this is considered a 'valid' shell which wont trigger errors, you would put this in the shell part of /etc/passwd
Code:
[user]:x:[uid]:[gid]::/var/run:/usr/sbin/nologin Code:
[user]:x:[uid]:[gid]::/var/run:/bin/false ubuntu does that by default for it's service users (values in [] are generalized for reference only and should be left alone) |
To add to the posts above: I'd disable telnet all together, and
(assuming you're using openSSH >= 5.x create a chroot jail for the user .... that way they can only sftp to the machine. Cheers, Tink |
How about to this?
1. Create a group (e.g. ordinary) 2.Change the permission of telnet and ssh command so that only users who are in the group (e.g. ordinary) can run those commands. 3.All users except that one user are belong to the group (e.g. ordinary). 4.On every update of telnet and ssh , you have to change the permisson of telnet and ssh command.(And every upgrade of your os: every reinstallation of your os, you have to do this setting.) |
All times are GMT -5. The time now is 08:46 PM. |