LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-12-2010, 05:36 PM   #1
krisr
LQ Newbie
 
Registered: Jun 2010
Posts: 2

Rep: Reputation: 0
Disable telnet and ssh for a specific user


I am looking for a way to deny telnet and ssh to one specific user. So far I've only tested with telnet and my attempts have been limited to various hosts.deny entries:

in.telnetd : user@server
in.telnetd : user@server.domain.com
in.telnetd : user@IP_address
in.telnetd : user@.domain.com

None of these work. The only thing I've found that does work is:
in.telnetd : IP_address

But this is only a semi-viable solution because we will soon have multiple logins for the one username from different servers and sub-nets. Ideally, I'd like to be able to deny telnet and ssh access to this username regardless of where the login originates. I suppose it would be possible to specify each server IP, but that'll be a bear to maintain. Thanks in advance!

The platform is RHEL 5 32-bit; kernel is 2.6.18-164.6.1.el5.

Last edited by krisr; 11-12-2010 at 06:21 PM. Reason: Left out platform info.
 
Old 11-12-2010, 05:43 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
Can you just change that users shell to /dev/null or /bin/false? Or do they need local login access?

Last edited by pljvaldez; 11-12-2010 at 05:45 PM.
 
Old 11-12-2010, 05:53 PM   #3
honeybadger
Member
 
Registered: Aug 2007
Location: India
Distribution: Slackware (mainly) and then a lot of others...
Posts: 855

Rep: Reputation: Disabled
Just adding to the previous posts - put /bin/bash -r.... else I think making some changes to the .bashrc would make this possible. I think someone might need to explain this out in detail.
Hope this helps.
 
Old 11-16-2010, 10:29 AM   #4
krisr
LQ Newbie
 
Registered: Jun 2010
Posts: 2

Original Poster
Rep: Reputation: 0
The user does need to login with FTP and I don't know without testing how the shell change to /dev/null or /bin/false would affect that. Thanks much for your input!
 
Old 11-16-2010, 12:37 PM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
I shutting down telnet entirely an option? It is pretty redundant with SSH and you sure don't want to expose telnet to the Internet. As for SSH, look into using the DenyUsers option, or better yet the AllowUsers option, in sshd_config. The latter specifies who can log in, and if you're not on the list, you don't get to use SSH.
 
Old 11-16-2010, 01:02 PM   #6
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,200

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
the shell you would use is /usr/sbin/nologin or /sbin/nologin, this is considered a 'valid' shell which wont trigger errors, you would put this in the shell part of /etc/passwd
Code:
[user]:x:[uid]:[gid]::/var/run:/usr/sbin/nologin
of course
Code:
[user]:x:[uid]:[gid]::/var/run:/bin/false
works too
ubuntu does that by default for it's service users (values in [] are generalized for reference only and should be left alone)
 
Old 11-16-2010, 01:22 PM   #7
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
To add to the posts above: I'd disable telnet all together, and
(assuming you're using openSSH >= 5.x create a chroot jail for
the user .... that way they can only sftp to the machine.



Cheers,
Tink
 
Old 11-17-2010, 09:40 AM   #8
mahu_mahu
Member
 
Registered: Dec 2007
Location: Japan
Distribution: Debian
Posts: 42

Rep: Reputation: 3
How about to this?
1. Create a group (e.g. ordinary)
2.Change the permission of telnet and ssh command so that only users who are in the group (e.g. ordinary) can run those commands.
3.All users except that one user are belong to the group (e.g. ordinary).
4.On every update of telnet and ssh , you have to change the permisson of telnet and ssh command.(And every upgrade of your os: every reinstallation of your os, you have to do this setting.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to trace a telnet or SSH user ? planetmars Linux - Security 17 03-10-2010 08:54 PM
Bizarre telnet problem for specific user flgal3 Linux - Networking 3 09-16-2005 08:23 AM
SSH/Telnet, disable root login, how? muhazam Linux - Security 6 08-17-2004 01:49 PM
Menu instead of shell for a specific user in ssh? jon_k Linux - Software 1 05-14-2004 07:04 PM
Can SSH Telnet listen for specific IP? tikvah Linux - Security 2 01-19-2003 11:00 AM


All times are GMT -5. The time now is 04:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration