LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-11-2006, 03:18 AM   #1
RobertCraven
LQ Newbie
 
Registered: May 2006
Posts: 5

Rep: Reputation: 0
deny ssh access with pam


Hi all,

I'm kind of beginner with Linux, I have the problems described in "Failed SSH login attempts" (massive ssh attacks). I solved the problem on one server with pub/priv keys, but I have a second one which I want to access from everywhere without always downloading and installing my key. I want to limit ssh access to one user, I added the last line in

/etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist

and put the user in
/etc/ssh_allow.pamlist

OS is Fedora Core 5
I restarted ssh and network, but still everyone can log in.
Any ideas?

Cheers,
Thomas

Ok, I fixed the problem with adding

AllowUsers

in /etc/ssh/sshd_conf
just for curiosity, why did the other way not work?

Thanks,
Thomas

Last edited by RobertCraven; 05-11-2006 at 03:40 AM.
 
Old 05-11-2006, 05:29 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
just for curiosity, why did the other way not work?
IIRC you can't arbitrarily mix parts of the stack, they need to be grouped together. Your listfile needs to be below the rest of the "auth" stack. A simple test should show if that's true. If you can, please post result.
 
Old 05-11-2006, 07:48 AM   #3
RobertCraven
LQ Newbie
 
Registered: May 2006
Posts: 5

Original Poster
Rep: Reputation: 0
Ok, I will try it tomorrow. Sorry for the maybe stupid question (remember, newbie... ), but you mean my
/etc/pam.d/sshd
should look like this:

#%PAM-1.0
auth include system-auth
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so

and what shortcut is IIRC?

Cheers,
Thomas
 
Old 05-11-2006, 08:04 AM   #4
ioerror
Member
 
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536

Rep: Reputation: 34
Quote:
and what shortcut is IIRC?
If I Recall/Remember Correctly.

There is a handy list of acronyms here.
 
Old 05-11-2006, 08:30 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
I strongly suggest that you look into SSH's certificate-based "publickey" authentication methods, instead of using passwords.

A public key is like an identification badge that cannot be forged. Each individual desiring access to a particular account must have a recognized badge, or he can't even attempt to get in. If you password-protect the key, you know that the person who's presenting the key must have known the password that was necessary to decrypt it. This will stop the SSH attacks, dead in their tracks, for good.

Consider this: SSH is "a shell." Whether it uses encryption or not, it is a method by which a user can present a dictionary-full of passwords to your system and, if successful, gain access to it. You want to strictly limit this. "Anyone has a dictionary," but no one has your key.

Last edited by sundialsvcs; 05-11-2006 at 08:32 AM.
 
Old 05-12-2006, 03:55 AM   #6
RobertCraven
LQ Newbie
 
Registered: May 2006
Posts: 5

Original Poster
Rep: Reputation: 0
@IOERROR
I changed the order in /etc/pam.d/sshd, but still no effect, also users not on the list could log in. Any other ideas? Another question is: where is the difference in limiting the access within ssh or pam?

@sundialsvcs
I agree with you, of course just limiting the access to one user does not give the same security as the key system. As I said in the 1st post, the main server with the important data uses this system. The one where I don't want the key system is more a desktop pc, if it would be compromised it is not a problem to wipe the harddisk and recover the data. The user that can log in doesn't have a "proper" name, it's randomized like a password. I'm hosting there presentations, biological databases and develop/test programms before running them on the main server. Because I work very often at different PC's, I don't want to install a key everywhere. Any other tips how to make a non-key ssh connection as safe as possible are very welcome!

Thanks very much for the answers!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: deny all users, except one hamish Linux - Security 13 09-07-2008 07:58 PM
Apache auth_pam / pam winbind deny failed user auth collen Linux - Security 3 04-10-2006 02:20 AM
deny ssh access from lan with iptables NuLLiFiEd Linux - Security 10 12-01-2005 07:11 PM
how to deny ssh for ip range? maginotjr Slackware 11 11-01-2005 07:01 AM
deny ip address with ssh DaWallace Slackware 16 05-31-2005 08:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration