How to restrict users ssh permissions?

mitchell7man · 12-11-2009, 03:59 AM

Hi, I'm new to server, I have successfully set up a file server sharing different partitions to different users. I have noticed that I have a vulnerability on the SSH end though. I find that all of my users can ssh and cd to partitions that I would like restricted. These partitions are mounted as /media/dirname how can I restrict guests ssh access so that in terms of ssh they are not allowed to leave their home directory? I'd like it so that I can be the only one to have permissions to everything. I believe that my users do have their own groups but I'm not sure, seeing as I'm asking this question I think I'll need some help from where to start from where to end.

Much thanks.
MJ

*server is ubuntu 9.10 with samba

datopdog · 12-11-2009, 04:33 AM

You can chroot them to their home directories http://www.debian-administration.org/articles/590

centosboy · 12-11-2009, 04:37 AM

Quote:

Originally Posted by mitchell7man

Hi, I'm new to server, I have successfully set up a file server sharing different partitions to different users. I have noticed that I have a vulnerability on the SSH end though. I find that all of my users can ssh and cd to partitions that I would like restricted. These partitions are mounted as /media/dirname how can I restrict guests ssh access so that in terms of ssh they are not allowed to leave their home directory? I'd like it so that I can be the only one to have permissions to everything. I believe that my users do have their own groups but I'm not sure, seeing as I'm asking this question I think I'll need some help from where to start from where to end.

Much thanks.
MJ

*server is ubuntu 9.10 with samba

if a user is restricted to their home directory, they cannot run any commands..
what you should look at is setting a user up with ssh keys, and specifying in the ssh keys which commands they can run.

another option would be to set up some rules in /etc/sudoers
some examples are here
http://debaan.blogspot.com/2007/02/s...-examples.html

mitchell7man · 12-11-2009, 12:03 PM

Those are interesting, but I actually don't mind (and actually would like) if these users were not allowed to execute any commands at all, how do I go about restricting them completely? I didn't quite get that first tutorial as it seemed to be for FTP, I already have my users made and set up to be able to access certain SAMBA shares. I just need to lock them out of SSH.

Thanks again.

mitchell7man · 12-11-2009, 12:40 PM

Okay, so now I got a bigger problem i changed the

Quote:

root ALL=(ALL) ALL

value to

Quote:

root ALL=(myusername) ALL

and now I cannot sudo... Is there any way to fix my sudo permissions? - I intended to lock everyone out except for myself. Now I just made my account the same as the rest, I can look at stuff but not edit it. (And I want my account to be able to do anything and the users to not even look at stuff)

Thanks.
MJ

UPDATE - I guess I did have root account active and was able to change the value back to (ALL). -I still need help restricting other accounts. I guess you can see what kind of novice your working with...

mitchell7man · 12-11-2009, 10:14 PM

Quote:

usermod -s /sbin/nologin username

seemed to do the trick

Thanks all!