LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-18-2005, 02:48 PM   #1
eggi
LQ Newbie
 
Registered: Jul 2004
Location: Iceland
Distribution: SuSE, RedHat
Posts: 4

Rep: Reputation: 0
Only allowing users in a single group to ssh from internet


Hello all

I would like to set up sshd on my home linux machine so that only users in a specific group (f.ex "staff") can log in through ssh from the outside, but still allow me to ssh as root from the intranet. The reason is that I do most of my system administration by editing config files in BBEdit on my Mac, which has a "Open from SFTP server" command (which is really nice) and I'd hate to give it up just because some idiot in Japan is trying to guess my root password (yes, I've added scripts that block an address after X attempts, but still...)

Eggi
 
Old 12-18-2005, 04:14 PM   #2
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 31
In /etc/ssh-/sshd_config you can specify:
AllowGroups %groupname
AllowUsers %username%

This will restrict access to ONLY the listed groups and/or users. Also, my advise is to keep the "RootPermitLogin no" and only su to root after logging in with your username/password.

hope this helps
 
Old 12-18-2005, 04:17 PM   #3
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,568

Rep: Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865
Yes. See man pages sshd_conf for details.
You should disable root login and use su for access.
Changing ports helps eliminate the garbage from the script kiddies.
 
Old 12-19-2005, 09:35 AM   #4
eggi
LQ Newbie
 
Registered: Jul 2004
Location: Iceland
Distribution: SuSE, RedHat
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks for the replies, guys. These are both good ideas, however, like I said in the original post, I really would like to allow root-access to the sftp subsystem from the intranet while blocking it from the outside. Are you saying that it is impossible?

Eggi
 
Old 12-19-2005, 11:06 AM   #5
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,568

Rep: Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865Reputation: 5865
Quote:
I really would like to allow root-access to the sftp subsystem from the intranet while blocking it from the outside
If understand your question then I think the answer is no.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
allowing single user to use modem jojotx0 Linux - General 13 11-15-2005 11:26 AM
Allowing/Denying login by group twsnnva Linux - Security 2 03-22-2005 03:14 PM
/etc/group - the group users empty Artanicus Linux - General 2 02-22-2005 04:25 AM
rename a group of files to a single extention Lleb_KCir Linux - General 9 02-20-2005 12:40 AM
Allowing Users commands Atroxic Linux - Newbie 2 02-01-2002 11:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration