Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 11-12-2010, 04:36 PM   #1
LQ Newbie
Registered: Jun 2010
Posts: 2

Rep: Reputation: 0
Disable telnet and ssh for a specific user

I am looking for a way to deny telnet and ssh to one specific user. So far I've only tested with telnet and my attempts have been limited to various hosts.deny entries:

in.telnetd : user@server
in.telnetd :
in.telnetd : user@IP_address
in.telnetd :

None of these work. The only thing I've found that does work is:
in.telnetd : IP_address

But this is only a semi-viable solution because we will soon have multiple logins for the one username from different servers and sub-nets. Ideally, I'd like to be able to deny telnet and ssh access to this username regardless of where the login originates. I suppose it would be possible to specify each server IP, but that'll be a bear to maintain. Thanks in advance!

The platform is RHEL 5 32-bit; kernel is 2.6.18-164.6.1.el5.

Last edited by krisr; 11-12-2010 at 05:21 PM. Reason: Left out platform info.
Old 11-12-2010, 04:43 PM   #2
LQ Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 272Reputation: 272Reputation: 272
Can you just change that users shell to /dev/null or /bin/false? Or do they need local login access?

Last edited by pljvaldez; 11-12-2010 at 04:45 PM.
Old 11-12-2010, 04:53 PM   #3
Registered: Aug 2007
Location: India
Distribution: Slackware (mainly) and then a lot of others...
Posts: 855

Rep: Reputation: Disabled
Just adding to the previous posts - put /bin/bash -r.... else I think making some changes to the .bashrc would make this possible. I think someone might need to explain this out in detail.
Hope this helps.
Old 11-16-2010, 09:29 AM   #4
LQ Newbie
Registered: Jun 2010
Posts: 2

Original Poster
Rep: Reputation: 0
The user does need to login with FTP and I don't know without testing how the shell change to /dev/null or /bin/false would affect that. Thanks much for your input!
Old 11-16-2010, 11:37 AM   #5
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
I shutting down telnet entirely an option? It is pretty redundant with SSH and you sure don't want to expose telnet to the Internet. As for SSH, look into using the DenyUsers option, or better yet the AllowUsers option, in sshd_config. The latter specifies who can log in, and if you're not on the list, you don't get to use SSH.
Old 11-16-2010, 12:02 PM   #6
Senior Member
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
the shell you would use is /usr/sbin/nologin or /sbin/nologin, this is considered a 'valid' shell which wont trigger errors, you would put this in the shell part of /etc/passwd
of course
works too
ubuntu does that by default for it's service users (values in [] are generalized for reference only and should be left alone)
Old 11-16-2010, 12:22 PM   #7
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914
To add to the posts above: I'd disable telnet all together, and
(assuming you're using openSSH >= 5.x create a chroot jail for
the user .... that way they can only sftp to the machine.

Old 11-17-2010, 08:40 AM   #8
Registered: Dec 2007
Location: Japan
Distribution: Debian
Posts: 42

Rep: Reputation: 3
How about to this?
1. Create a group (e.g. ordinary)
2.Change the permission of telnet and ssh command so that only users who are in the group (e.g. ordinary) can run those commands.
3.All users except that one user are belong to the group (e.g. ordinary).
4.On every update of telnet and ssh , you have to change the permisson of telnet and ssh command.(And every upgrade of your os: every reinstallation of your os, you have to do this setting.)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to trace a telnet or SSH user ? planetmars Linux - Security 17 03-10-2010 07:54 PM
Bizarre telnet problem for specific user flgal3 Linux - Networking 3 09-16-2005 07:23 AM
SSH/Telnet, disable root login, how? muhazam Linux - Security 6 08-17-2004 12:49 PM
Menu instead of shell for a specific user in ssh? jon_k Linux - Software 1 05-14-2004 06:04 PM
Can SSH Telnet listen for specific IP? tikvah Linux - Security 2 01-19-2003 10:00 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:08 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration