LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-13-2005, 08:43 AM   #1
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Rep: Reputation: 30
ssh: deny all users, except one


Hello all (and a happy new year)

I have a server onto which users SCP (generally using winscp or rsync iwth ssh). I perform maintenance tasks each day between 07:00 and 07:30 (at this time, noone is accessing the system, although they could)

I would like to know if there is a way to deny all users from accessing the server via SSH, except for me (in case I need to do admin tasks).

ideally, a script will change appropriate lines in ssh_config to deny users and then allow then again once maintenance time is over.

I have tried:

Code:
DenyUsers *
AllowUsers hamish
hoping that the AllowUsers would overwrite the decision to deney everyone.

Given that I add new users, I don't want to have a list of them in the DenyUsers line, as that would be inefficient.

Is there a way that I can tell SSH to deny all users, except for me?

Thanks in advance
Hamish
 
Old 01-13-2005, 09:59 AM   #2
bbk
Member
 
Registered: Jan 2005
Location: Budapest/Hungary
Distribution: knoppix-hdd/debian
Posts: 56

Rep: Reputation: 15
You should switch the order. First, AllowUsers then the DenyUsers.
By the way, here's what the man sayz:

DenyUsers *
# This keyword can be followed by a list of user name patterns, separated by spaces. Login is
# disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards
# in the patterns. Only user names are valid; a numerical user ID is not recognized. By default,
# login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are
# separately checked, restricting logins to particular users from particular hosts.

Anyway, there is another solution, you can simply put yourself to another primary group as the other users and deny access to the other groups with DenyGroups.

hope, that I could helped,
BBK
 
Old 01-13-2005, 11:00 AM   #3
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Original Poster
Rep: Reputation: 30
that does help! I will try later at my linux box!

hamish
 
Old 02-13-2005, 04:28 PM   #4
systemparadox
Member
 
Registered: Jul 2004
Location: Tavistock, Devon, England
Distribution: Slackware 9.1, Mandrake 9.0/9.1/10.0, LFS 6.0, Knoppix 3.1/3.3
Posts: 73

Rep: Reputation: 15
I want to do just that: deny acces to all users except those explicitly specified using AllowUsers, but I can't get it to work...

I can login as 'simon'. Then I su to root, edit /etc/ssh/sshd_config and run '/etc/rc.d/rc.sshd restart'. Then I try logging in on another terminal as 'simon'. I can still login, provided that 'DenyUsers *' is not present anywhere in the file. I have tried putting 'AllowUsers simon' first and I have tried putting DenyUsers first, but it doesn't seem to matter- while 'DenyUsers *' is present in the file I cannot log in.

What is going on?

Thanks
Simon

Below is my /etc/ssh/sshd_config:

Code:
#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

AllowUsers simon
DenyUsers *

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
MaxStartups 4

# no default banner path
Banner /etc/ssh/sshd_banner

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
 
Old 02-14-2005, 01:19 PM   #5
systemparadox
Member
 
Registered: Jul 2004
Location: Tavistock, Devon, England
Distribution: Slackware 9.1, Mandrake 9.0/9.1/10.0, LFS 6.0, Knoppix 3.1/3.3
Posts: 73

Rep: Reputation: 15
also, is it possible to allow different users for each network interface/subnet? It looks likely that I am going to want to allow certain other users in from the lan side, but not via the internet.

Thanks
Simon
 
Old 02-14-2005, 05:24 PM   #6
nukey
Member
 
Registered: Dec 2004
Location: Netherlands
Distribution: Slackware
Posts: 173

Rep: Reputation: 30
I've only made 2 changes in my /etc/ssh/sshd_config

PermitRootLogin no
AllowUsers nukey

And with this setup nobody can login, except me offcourse
 
Old 02-15-2005, 05:36 AM   #7
systemparadox
Member
 
Registered: Jul 2004
Location: Tavistock, Devon, England
Distribution: Slackware 9.1, Mandrake 9.0/9.1/10.0, LFS 6.0, Knoppix 3.1/3.3
Posts: 73

Rep: Reputation: 15
I suppose I should have tried that before asking questions (having just AllowUsers, no DenyUsers)- it works, thanks.

Is it possible to allow different users per interface?
 
Old 02-17-2005, 12:44 AM   #8
mastahnke
Member
 
Registered: Feb 2002
Location: IL
Distribution: Ubuntu currently, also Fedora, RHEL, CentOS
Posts: 111

Rep: Reputation: 15
Per interface? Per physical NIC or per IP address? If per IP Address can run seperate sshd processes and bind each one to an IP with the config file that works with the users the way your require.

sshd_config

ListenAddress :: #put listening IP here


As for tying to down per physical NIC, that might be harder.


There is also the nologin directive. If you touch a file called nologin in /etc/ssh, only root wil be allowed in to fix things.

/etc/nologin
If this file exists, sshd refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in, and non-root connections are refused. The file should be world-readable.

I don't think that is configurable beyond the root user though.
 
Old 02-17-2005, 04:15 PM   #9
systemparadox
Member
 
Registered: Jul 2004
Location: Tavistock, Devon, England
Distribution: Slackware 9.1, Mandrake 9.0/9.1/10.0, LFS 6.0, Knoppix 3.1/3.3
Posts: 73

Rep: Reputation: 15
I suppose I could do it by IP, since I will be blocking all packets coming from one interface that have an address in the subnet of another.

About the nologin file:
Is it /etc/nologin or /etc/ssh/nologin?
What happens if 'PermitRootLogin' is set to 'no'? Can root login anyway or can nobody login?

Thanks for the help
Simon
 
Old 05-26-2005, 07:08 AM   #10
systemparadox
Member
 
Registered: Jul 2004
Location: Tavistock, Devon, England
Distribution: Slackware 9.1, Mandrake 9.0/9.1/10.0, LFS 6.0, Knoppix 3.1/3.3
Posts: 73

Rep: Reputation: 15
OK, sorry to revive this thread, but I have only just managed to get round to trying multiple sshd processes.
(I'm also trying to do this on a headless server- and I keep locking myself out! ). Anyway...

I'm having trouble understanding how you tie it down by IP. By default, ListenAddress is 0.0.0.0, so I assumed that ListenAddress 192.168.38.0 would allow connections from hosts with address 192.168.38.x. But I just get connection refused, and nothing shows up in the logs about my attempt (they do when I have it listening on 0.0.0.0, and they show that it was listening to 192.168.38.0 port 22).

I also have connections coming in from forwarded subnets (i.e. my palmtop going through my laptop), this is not a problem at the moment as I have my laptop NATing the connection, but I would like to be able to turn that off really.

Also, I have the problem of a dynamic internet IP address, so I can't just tell it to bind to that address. Besides, would that work or would it be listening for connections only from my IP? I figured that if I told it to listen on all addresses (0.0.0.0) and started the internal server first, the external server would not be able to bind to the internal addresses, so that would solve that problem. Please correct me if I'm wrong here.

It would be soooo much easier if I could just tell one to listen to connections from eth0 and eth1, and the other to listen to connections from eth2, and not bother with IP addresses, especially as I am filtering invalid addresses out at my firewall.

Thanks
Simon
 
Old 09-07-2008, 05:23 PM   #11
newhren
LQ Newbie
 
Registered: Sep 2008
Posts: 1

Rep: Reputation: 0
solution: read the man page

I had the same problem (wanted to deny ssh-access to all but one user) and I regret that I first found this thread with crazy ideas. The solution is easy, and it is in the man-page for sshd_config:

/etc/ssh/sshd_config should contain only "AllowUsers joe" and no "DenyUsers". This way only "joe" is allowed to login.
 
Old 09-07-2008, 07:58 PM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Listen tells the sshd instance started with that config file which IPs to bind to. You would need to create multiple copies of your /etc/init.d/sshd script, name them for the physical interfaces they should listen on. Edit each init script and add some shell script to grab the current IP from the respective interface, and pass it to sshd with -o Listen=<current ip>. Then edit each copy of the sshd_config to comment-out Listen 0.0.0.0 and ::. Of course, if your clients can reach each IP address, there's not much extra security (other than telling them which one they should connect to). The firewall would need to prevent traffic from the "wrong" subnets from reaching each sshd.

Last edited by chort; 09-07-2008 at 08:02 PM.
 
Old 09-07-2008, 08:41 PM   #13
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by newhren View Post
I had the same problem (wanted to deny ssh-access to all but one user) and I regret that I first found this thread with crazy ideas. The solution is easy, and it is in the man-page for sshd_config:

/etc/ssh/sshd_config should contain only "AllowUsers joe" and no "DenyUsers". This way only "joe" is allowed to login.
That's a 3 year old thread you decided to add to
 
Old 09-07-2008, 08:58 PM   #14
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Blame Google
http://www.google.com/search?rls=en&...UTF-8&oe=UTF-8
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HowTo sshd deny all users except for one? mattengland Linux - Security 28 11-04-2007 03:53 PM
how to deny ssh for ip range? maginotjr Slackware 11 11-01-2005 08:01 AM
deny ip address with ssh DaWallace Slackware 16 05-31-2005 09:40 PM
ssh and /etc/hosts.all & deny tebucky Linux - Security 8 01-27-2005 06:23 PM
how to deny all users in vsftp except one? lzyking Linux - Software 7 12-11-2002 11:02 PM


All times are GMT -5. The time now is 09:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration