Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a requirement to implement SSH Services in a way, oracle user should be disallowed from everywhere other then one host. While no restrictions for other users.
I worked with DenyUsers, but it disallow oracle logins from all hosts.
I would *strongly* suggest that you don't deal with this at ssh level, but use tcpwrappers by editing /etc/hosts.allow and /etc/hosts.deny.
so in hosts.allow:
Code:
sshd : oracle@host
And in hosts.deny:
Code:
sshd : oracle@*
should, AFAIK, only allow oracle from that one host within ssh but not affect anything else whatsoever. Plenty of flexibility in tcpwrappers if you want it, but I think that does what you ask for.
Last edited by acid_kewpie; 04-12-2011 at 08:14 AM.
Thanks, I have just tried your suggestion. After adding the entries i don't see any ristriction. I also restarted the network service, ssh service but nothing happened. Do i need to restart something else as well?
well that would be ALL : ALL as per the post, but that will mean no other users will be able to ssh in from anywhere, but the point then would be to go back to hosts.allow and put more specific allows in there.
well that would be ALL : ALL as per the post, but that will mean no other users will be able to ssh in from anywhere, but the point then would be to go back to hosts.allow and put more specific allows in there.
so we are back on step 1. as others will also be blocked..
You can use the EXCEPT keyword. This is from the "man 5 hosts_access" man page:
Code:
The explicitly authorized hosts are listed in the allow file. For example:
/etc/hosts.allow:
ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
So you could use sshd: ALL EXCEPT oracle@ALL
--
sorry, I forgot you wanted oracle at one host permission.
Would
/etc/hosts.deny
sshd: oracle@ALL EXCEPT oracle@<allowed_host>
[root@backup01 ~]# strings $(which sshd)| grep libwrap
libwrap.so.0
libwrap refuse returns
[root@backup01 ~]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
# Example of overriding settings on a per-user basis
#Match User oracle
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
AllowUsers oracle@123.123.123.10
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.