Hi all,

I'm kind of beginner with Linux, I have the problems described in "Failed SSH login attempts" (massive ssh attacks). I solved the problem on one server with pub/priv keys, but I have a second one which I want to access from everywhere without always downloading and installing my key. I want to limit ssh access to one user, I added the last line in

/etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist

and put the user in
/etc/ssh_allow.pamlist

OS is Fedora Core 5
I restarted ssh and network, but still everyone can log in.
Any ideas?

Cheers,
Thomas

Ok, I fixed the problem with adding

AllowUsers

in /etc/ssh/sshd_conf
just for curiosity, why did the other way not work?

Thanks,
Thomas

just for curiosity, why did the other way not work?
IIRC you can't arbitrarily mix parts of the stack, they need to be grouped together. Your listfile needs to be below the rest of the "auth" stack. A simple test should show if that's true. If you can, please post result.

Ok, I will try it tomorrow. Sorry for the maybe stupid question (remember, newbie... ), but you mean my
/etc/pam.d/sshd
should look like this:

#%PAM-1.0
auth include system-auth
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so

and what shortcut is IIRC?

Cheers,
Thomas

If I Recall/Remember Correctly.

There is a handy list of acronyms here.

I strongly suggest that you look into SSH's certificate-based "publickey" authentication methods, instead of using passwords.

A public key is like an identification badge that cannot be forged. Each individual desiring access to a particular account must have a recognized badge, or he can't even attempt to get in. If you password-protect the key, you know that the person who's presenting the key must have known the password that was necessary to decrypt it. This will stop the SSH attacks, dead in their tracks, for good.

Consider this: SSH is "a shell." Whether it uses encryption or not, it is a method by which a user can present a dictionary-full of passwords to your system and, if successful, gain access to it. You want to strictly limit this. "Anyone has a dictionary," but no one has your key.

@IOERROR
I changed the order in /etc/pam.d/sshd, but still no effect, also users not on the list could log in. Any other ideas? Another question is: where is the difference in limiting the access within ssh or pam?

@sundialsvcs
I agree with you, of course just limiting the access to one user does not give the same security as the key system. As I said in the 1st post, the main server with the important data uses this system. The one where I don't want the key system is more a desktop pc, if it would be compromised it is not a problem to wipe the harddisk and recover the data. The user that can log in doesn't have a "proper" name, it's randomized like a password. I'm hosting there presentations, biological databases and develop/test programms before running them on the main server. Because I work very often at different PC's, I don't want to install a key everywhere. Any other tips how to make a non-key ssh connection as safe as possible are very welcome!

Thanks very much for the answers!