Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have a server onto which users SCP (generally using winscp or rsync iwth ssh). I perform maintenance tasks each day between 07:00 and 07:30 (at this time, noone is accessing the system, although they could)
I would like to know if there is a way to deny all users from accessing the server via SSH, except for me (in case I need to do admin tasks).
ideally, a script will change appropriate lines in ssh_config to deny users and then allow then again once maintenance time is over.
I have tried:
hoping that the AllowUsers would overwrite the decision to deney everyone.
Given that I add new users, I don't want to have a list of them in the DenyUsers line, as that would be inefficient.
Is there a way that I can tell SSH to deny all users, except for me?
You should switch the order. First, AllowUsers then the DenyUsers.
By the way, here's what the man sayz:
# This keyword can be followed by a list of user name patterns, separated by spaces. Login is
# disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards
# in the patterns. Only user names are valid; a numerical user ID is not recognized. By default,
# login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are
# separately checked, restricting logins to particular users from particular hosts.
Anyway, there is another solution, you can simply put yourself to another primary group as the other users and deny access to the other groups with DenyGroups.
I want to do just that: deny acces to all users except those explicitly specified using AllowUsers, but I can't get it to work...
I can login as 'simon'. Then I su to root, edit /etc/ssh/sshd_config and run '/etc/rc.d/rc.sshd restart'. Then I try logging in on another terminal as 'simon'. I can still login, provided that 'DenyUsers *' is not present anywhere in the file. I have tried putting 'AllowUsers simon' first and I have tried putting DenyUsers first, but it doesn't seem to matter- while 'DenyUsers *' is present in the file I cannot log in.
What is going on?
Below is my /etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# HostKey for protocol version 1
# HostKeys for protocol version 2
# Lifetime and size of ephemeral version 1 server key
#obsoletes QuietMode and FascistLogging
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# similar for protocol version 2
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# Don't read the user's ~/.rhosts and ~/.shosts files
# To disable tunneled clear text passwords, change to no here!
# Change to no to disable s/key passwords
# Kerberos options
# GSSAPI options
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
# no default banner path
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
Distribution: Ubuntu currently, also Fedora, RHEL, CentOS
Per interface? Per physical NIC or per IP address? If per IP Address can run seperate sshd processes and bind each one to an IP with the config file that works with the users the way your require.
ListenAddress :: #put listening IP here
As for tying to down per physical NIC, that might be harder.
There is also the nologin directive. If you touch a file called nologin in /etc/ssh, only root wil be allowed in to fix things.
If this file exists, sshd refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in, and non-root connections are refused. The file should be world-readable.
I don't think that is configurable beyond the root user though.
OK, sorry to revive this thread, but I have only just managed to get round to trying multiple sshd processes.
(I'm also trying to do this on a headless server- and I keep locking myself out! ). Anyway...
I'm having trouble understanding how you tie it down by IP. By default, ListenAddress is 0.0.0.0, so I assumed that ListenAddress 192.168.38.0 would allow connections from hosts with address 192.168.38.x. But I just get connection refused, and nothing shows up in the logs about my attempt (they do when I have it listening on 0.0.0.0, and they show that it was listening to 192.168.38.0 port 22).
I also have connections coming in from forwarded subnets (i.e. my palmtop going through my laptop), this is not a problem at the moment as I have my laptop NATing the connection, but I would like to be able to turn that off really.
Also, I have the problem of a dynamic internet IP address, so I can't just tell it to bind to that address. Besides, would that work or would it be listening for connections only from my IP? I figured that if I told it to listen on all addresses (0.0.0.0) and started the internal server first, the external server would not be able to bind to the internal addresses, so that would solve that problem. Please correct me if I'm wrong here.
It would be soooo much easier if I could just tell one to listen to connections from eth0 and eth1, and the other to listen to connections from eth2, and not bother with IP addresses, especially as I am filtering invalid addresses out at my firewall.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Listen tells the sshd instance started with that config file which IPs to bind to. You would need to create multiple copies of your /etc/init.d/sshd script, name them for the physical interfaces they should listen on. Edit each init script and add some shell script to grab the current IP from the respective interface, and pass it to sshd with -o Listen=<current ip>. Then edit each copy of the sshd_config to comment-out Listen 0.0.0.0 and ::. Of course, if your clients can reach each IP address, there's not much extra security (other than telling them which one they should connect to). The firewall would need to prevent traffic from the "wrong" subnets from reaching each sshd.