LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-09-2005, 10:54 PM   #1
bullium
Member
 
Registered: Aug 2003
Location: Ohio
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146

Rep: Reputation: 17
Restricting SSH logins.


I've done some googling, but I cannot find a rock solid way of doing what I want. Heres the deal, I'm running Slackware 10.0 with proftpd which is working fine, in fact everything is running great. My problem is that proftpd runs on local user accounts which I like, but I don't want them all to have access via SSH. So my question is how do I allow certain users access via SSH and not others, but still allow everyone access to FTP. Thanks in advance.
 
Old 05-09-2005, 11:32 PM   #2
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
There is a standard and very secure way of doing this through shell selection.

See, every user on your system needs a shell and (AFAIK) proftpd checks /etc/shells to make sure that the user has a "valid" shell. As long as the shell the user has appears in this list proftpd will let them log in.

The trick is giving users you don't want to be able to have terminal access a dummy shell. You can do this by adding /dev/null to the end of the /etc/shells file, and then assigning ftp-only users that shell. This way when they log in via SSH they'll be presented with nothing but they can still log in via FTP.

The slightly cleaner way of doing this is to assign the users a shell script, like /var/nologin, looks like the following
Code:
#!/bin/sh
echo "If you're reading this, you ain't 1337"
exit 1
That way when they log in they're presented with a message then kicked off. This is, however, not strictly necessary.
 
Old 05-09-2005, 11:54 PM   #3
bullium
Member
 
Registered: Aug 2003
Location: Ohio
Distribution: Ubuntu 12.04, Mint 13, RHES 5.5, RHES 6
Posts: 146

Original Poster
Rep: Reputation: 17
I've found the answer .
edit the /etc/ssh/sshd_config
Add the following to the file above uncommented.
Code:
AllowUsers user1 user2 user3
or
Code:
AllowGroups group1 group2
Any user or group not listed will not have ssh access to the system.
 
Old 05-10-2005, 01:15 AM   #4
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
That's one way of doing it but assigning the user a null shell is always a good way to go.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting logins in a NIS environment fishsponge Linux - Networking 1 06-09-2005 08:52 AM
Massive SSH Logins zeeshanhayat Linux - Security 1 03-08-2005 12:49 PM
Restricting SSH access by IP sooner5150 Linux - Security 3 11-18-2004 11:09 AM
Restricting SSH Access ErocM Linux - Security 4 02-20-2004 10:52 AM
restricting ssh macie Linux - Networking 1 12-09-2003 11:34 PM


All times are GMT -5. The time now is 07:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration