Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-11-2006, 04:18 AM
|
#1
|
LQ Newbie
Registered: May 2006
Posts: 5
Rep:
|
deny ssh access with pam
Hi all,
I'm kind of beginner with Linux, I have the problems described in "Failed SSH login attempts" (massive ssh attacks). I solved the problem on one server with pub/priv keys, but I have a second one which I want to access from everywhere without always downloading and installing my key. I want to limit ssh access to one user, I added the last line in
/etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
and put the user in
/etc/ssh_allow.pamlist
OS is Fedora Core 5
I restarted ssh and network, but still everyone can log in.
Any ideas?
Cheers,
Thomas
Ok, I fixed the problem with adding
AllowUsers
in /etc/ssh/sshd_conf
just for curiosity, why did the other way not work?
Thanks,
Thomas
Last edited by RobertCraven; 05-11-2006 at 04:40 AM.
|
|
|
05-11-2006, 06:29 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
just for curiosity, why did the other way not work?
IIRC you can't arbitrarily mix parts of the stack, they need to be grouped together. Your listfile needs to be below the rest of the "auth" stack. A simple test should show if that's true. If you can, please post result.
|
|
|
05-11-2006, 08:48 AM
|
#3
|
LQ Newbie
Registered: May 2006
Posts: 5
Original Poster
Rep:
|
Ok, I will try it tomorrow. Sorry for the maybe stupid question (remember, newbie... ), but you mean my
/etc/pam.d/sshd
should look like this:
#%PAM-1.0
auth include system-auth
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
and what shortcut is IIRC?
Cheers,
Thomas
|
|
|
05-11-2006, 09:04 AM
|
#4
|
Member
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536
Rep:
|
Quote:
and what shortcut is IIRC?
|
If I Recall/Remember Correctly.
There is a handy list of acronyms here.
|
|
|
05-11-2006, 09:30 AM
|
#5
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057
|
I strongly suggest that you look into SSH's certificate-based "publickey" authentication methods, instead of using passwords.
A public key is like an identification badge that cannot be forged. Each individual desiring access to a particular account must have a recognized badge, or he can't even attempt to get in. If you password-protect the key, you know that the person who's presenting the key must have known the password that was necessary to decrypt it. This will stop the SSH attacks, dead in their tracks, for good.
Consider this: SSH is "a shell." Whether it uses encryption or not, it is a method by which a user can present a dictionary-full of passwords to your system and, if successful, gain access to it. You want to strictly limit this. "Anyone has a dictionary," but no one has your key.
Last edited by sundialsvcs; 05-11-2006 at 09:32 AM.
|
|
|
05-12-2006, 04:55 AM
|
#6
|
LQ Newbie
Registered: May 2006
Posts: 5
Original Poster
Rep:
|
@IOERROR
I changed the order in /etc/pam.d/sshd, but still no effect, also users not on the list could log in. Any other ideas? Another question is: where is the difference in limiting the access within ssh or pam?
@sundialsvcs
I agree with you, of course just limiting the access to one user does not give the same security as the key system. As I said in the 1st post, the main server with the important data uses this system. The one where I don't want the key system is more a desktop pc, if it would be compromised it is not a problem to wipe the harddisk and recover the data. The user that can log in doesn't have a "proper" name, it's randomized like a password. I'm hosting there presentations, biological databases and develop/test programms before running them on the main server. Because I work very often at different PC's, I don't want to install a key everywhere. Any other tips how to make a non-key ssh connection as safe as possible are very welcome!
Thanks very much for the answers!
|
|
|
All times are GMT -5. The time now is 08:37 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|