LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   How to restrict users ssh permissions? (http://www.linuxquestions.org/questions/linux-server-73/how-to-restrict-users-ssh-permissions-774908/)

mitchell7man 12-11-2009 03:59 AM

How to restrict users ssh permissions?
 
Hi, I'm new to server, I have successfully set up a file server sharing different partitions to different users. I have noticed that I have a vulnerability on the SSH end though. I find that all of my users can ssh and cd to partitions that I would like restricted. These partitions are mounted as /media/dirname how can I restrict guests ssh access so that in terms of ssh they are not allowed to leave their home directory? I'd like it so that I can be the only one to have permissions to everything. I believe that my users do have their own groups but I'm not sure, seeing as I'm asking this question I think I'll need some help from where to start from where to end.

Much thanks.
MJ

*server is ubuntu 9.10 with samba

datopdog 12-11-2009 04:33 AM

You can chroot them to their home directories http://www.debian-administration.org/articles/590

centosboy 12-11-2009 04:37 AM

Quote:

Originally Posted by mitchell7man (Post 3787569)
Hi, I'm new to server, I have successfully set up a file server sharing different partitions to different users. I have noticed that I have a vulnerability on the SSH end though. I find that all of my users can ssh and cd to partitions that I would like restricted. These partitions are mounted as /media/dirname how can I restrict guests ssh access so that in terms of ssh they are not allowed to leave their home directory? I'd like it so that I can be the only one to have permissions to everything. I believe that my users do have their own groups but I'm not sure, seeing as I'm asking this question I think I'll need some help from where to start from where to end.

Much thanks.
MJ

*server is ubuntu 9.10 with samba

if a user is restricted to their home directory, they cannot run any commands..
what you should look at is setting a user up with ssh keys, and specifying in the ssh keys which commands they can run.

another option would be to set up some rules in /etc/sudoers
some examples are here
http://debaan.blogspot.com/2007/02/s...-examples.html

mitchell7man 12-11-2009 12:03 PM

Those are interesting, but I actually don't mind (and actually would like) if these users were not allowed to execute any commands at all, how do I go about restricting them completely? I didn't quite get that first tutorial as it seemed to be for FTP, I already have my users made and set up to be able to access certain SAMBA shares. I just need to lock them out of SSH.

Thanks again.

mitchell7man 12-11-2009 12:40 PM

Okay, so now I got a bigger problem i changed the
Quote:

root ALL=(ALL) ALL
value to
Quote:

root ALL=(myusername) ALL
and now I cannot sudo... Is there any way to fix my sudo permissions? - I intended to lock everyone out except for myself. Now I just made my account the same as the rest, I can look at stuff but not edit it. (And I want my account to be able to do anything and the users to not even look at stuff)

Thanks.
MJ

UPDATE - I guess I did have root account active and was able to change the value back to (ALL). -I still need help restricting other accounts. I guess you can see what kind of novice your working with...

mitchell7man 12-11-2009 10:14 PM

Quote:

usermod -s /sbin/nologin username
seemed to do the trick :) Thanks all!


All times are GMT -5. The time now is 11:24 AM.