LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Only allowing users in a single group to ssh from internet (http://www.linuxquestions.org/questions/linux-security-4/only-allowing-users-in-a-single-group-to-ssh-from-internet-394240/)

eggi 12-18-2005 03:48 PM

Only allowing users in a single group to ssh from internet
 
Hello all

I would like to set up sshd on my home linux machine so that only users in a specific group (f.ex "staff") can log in through ssh from the outside, but still allow me to ssh as root from the intranet. The reason is that I do most of my system administration by editing config files in BBEdit on my Mac, which has a "Open from SFTP server" command (which is really nice) and I'd hate to give it up just because some idiot in Japan is trying to guess my root password (yes, I've added scripts that block an address after X attempts, but still...)

Eggi

Notwerk 12-18-2005 05:14 PM

In /etc/ssh-/sshd_config you can specify:
AllowGroups %groupname
AllowUsers %username%

This will restrict access to ONLY the listed groups and/or users. Also, my advise is to keep the "RootPermitLogin no" and only su to root after logging in with your username/password.

hope this helps

michaelk 12-18-2005 05:17 PM

Yes. See man pages sshd_conf for details.
You should disable root login and use su for access.
Changing ports helps eliminate the garbage from the script kiddies.

eggi 12-19-2005 10:35 AM

Thanks for the replies, guys. These are both good ideas, however, like I said in the original post, I really would like to allow root-access to the sftp subsystem from the intranet while blocking it from the outside. Are you saying that it is impossible?

Eggi

michaelk 12-19-2005 12:06 PM

Quote:

I really would like to allow root-access to the sftp subsystem from the intranet while blocking it from the outside
If understand your question then I think the answer is no.


All times are GMT -5. The time now is 09:06 PM.