LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 10-01-2005, 11:50 AM   #1
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Rep: Reputation: 15
HowTo sshd deny all users except for one?


I want to deny all sshd logins except for one for the duration of some server maintenance (on RH9 machine). I want to include the one user in case I get kicked off the box for some reason (bad network connection) and thus prevent myself from re-logging in.

I tried putting the following in /etc/ssh/sshd_config:

Code:
DenyUsers *
AllowUsers johndoe
..but that didn't seem to work. Might anyone have any additional suggestions?

The only things I can think to do is list _all_ the logins (but simply putting /etc/passwd through a filter to get all the logins on one line), but I'd like to find a more-effective process for handling this requirement in the future.

Thanks for any help,
-Matt
 
Old 10-01-2005, 12:00 PM   #2
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
From man sshd_config:
Code:
AllowGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  If specified, login is allowed only for
             users whose primary group or supplementary group list matches one
             of the patterns....

AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
             user names that match one of the patterns.  `*' and `?' can be
             used as wildcards in the patterns.
So with
Code:
AllowUsers johndoe
AllowGroups users
only johndoe will be allowed to login.
 
Old 10-02-2005, 08:54 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
PAM listfile.so

For completeness sake, and only on platforms where services use PAM, you could also edit /etc/pam.d/[servicename] and include an listfile line in the auth section. This gives you the ability to add usernames to a plain text file to be denied/allowed (according to the "sense" statement you supply listfile with). I use it because it's centralised, faster, can be used across (PAM-ified) services and doesn't need me to edit each and every daemon config.
 
Old 10-02-2005, 09:52 AM   #4
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by TruckStuff
So with
Code:
AllowUsers johndoe
AllowGroups users
only johndoe will be allowed to login. [/B]
I'm missing something. Will not the above code allow all the users in group=users as well as johndoe?

Also, what happens when I don't want to have to know and/or manage all the different groups on a system? I just want to disallow everyone except one *user* without having to track down if there are more users not constrained by the group=user.

Does that point make any sense?

-Matt
 
Old 10-02-2005, 09:54 AM   #5
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Re: PAM listfile.so

Quote:
Originally posted by unSpawn
For completeness sake, and only on platforms where services use PAM, you could also edit /etc/pam.d/[servicename] and include an listfile line in the auth section. This gives you the ability to add usernames to a plain text file to be denied/allowed (according to the "sense" statement you supply listfile with). I use it because it's centralised, faster, can be used across (PAM-ified) services and doesn't need me to edit each and every daemon config.
I'm not familiar with PAM, how it operates, nor how to manage it. Got a recommend link where I can read more?

I see http://www.kernel.org/pub/linux/libs...-html/pam.html , but I'm not sure it's appropriate or "best."

Thanks for any help,
-Matt
 
Old 10-02-2005, 01:11 PM   #6
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by mattengland
I'm missing something.
Yes, you are. What you are missing is:
Code:
man sshd_config
man pages are always a good place to start (or even Google).
Quote:
Originally posted by mattengland
Will not the above code allow all the users in group=users as well as johndoe
No. Again from man sshd_config:
Code:
AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
             user names that match one of the patterns.
You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
 
Old 10-02-2005, 01:21 PM   #7
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Thanks for the clarification. Sorry I missed this originally.

-Matt
 
Old 10-02-2005, 01:26 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Got a recommend link where I can read more?
It's gotten lost somewhere in the depths of /usr/share/doc/pam-[0-9].* :-]


Check if you got a file "/lib/security/pam_listfile.so".
If you got /etc/pam.d/ssh, locate the lines starting with "auth" and add this line beneath the last "auth" statement:
Code:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd.allow onerr=fail
Now cat/echo/vi the username(s) you allow (one per line) to /etc/sshd.allow.
Done.
 
Old 10-02-2005, 01:47 PM   #9
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 47
Quote:
Originally posted by TruckStuff
Yes, you are. What you are missing is:
Code:
man sshd_config
man pages are always a good place to start (or even Google). ...

You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
to be fair, the man page really doesn't say that though, does it?

Code:
     AllowUsers
             This keyword can be followed by a list of user name patterns, sepa-
             rated by spaces.  If specified, login is allowed only for user names
             that match one of the patterns.  '*' and '?' can be used as wild-
             cards in the patterns.  Only user names are valid; a numerical user
             ID is not recognized.  By default, login is allowed for all users.
             If the pattern takes the form USER@HOST then USER and HOST are sepa-
             rately checked, restricting logins to particular users from particu-
             lar hosts.
that doesn't mention anything about also having to have the AllowGroups directive present in the configuration. how is anyone supposed to know that (if in fact it's true)? just by guessing? there are dozens of other directives in the man pages, also. which other ones do we have to guess have to be present when using AllowUsers, or any other option?

if you read the AllowGroups description, it likewise doesn't mention anything about having to have that option specified if you are using AllowUsers. in fact, it even says that all groups are allowed by default if you don't include it!

Code:
      AllowGroups
             This keyword can be followed by a list of group name patterns, sepa-
             rated by spaces.  If specified, login is allowed only for users
             whose primary group or supplementary group list matches one of the
             patterns.  '*' and '?' can be used as wildcards in the patterns.
             Only group names are valid; a numerical group ID is not recognized.
             By default, login is allowed for all groups.
so if anything, the logical thing to conclude from what the man pages say is that by not specifying AllowGroups, all groups are allowed, and you can then specify which users are allowed by using the AllowUsers option. anything concluded other than that would have to be called mindreading, clairvoyance (or poor documentation ).
 
Old 10-02-2005, 01:55 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
I tried putting the following in /etc/ssh/sshd_config:

Code:
DenyUsers *
AllowUsers johndoe
Just a wild guess - depending on which takes precendence (deny or allow) is it possible you're denying everyone with this config?

You said this didn't work but I am curious about how it failed. Was no one able to log in after that?
 
Old 10-02-2005, 02:06 PM   #11
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by slackhack
to be fair, the man page really doesn't say that though, does it?
Not really, that's why I told him.
 
Old 10-02-2005, 02:17 PM   #12
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 47
Quote:
Originally posted by TruckStuff
Not really, that's why I told him.



Quote:
Originally posted by TruckStuff
You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
please show me in the AllowUsers description where it says you also have to include the AllowGroups directive if you're using AllowUsers? or maybe i'm just misunderstanding you, too.
 
Old 10-02-2005, 10:05 PM   #13
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by slackhack
Sorry, I was trying to agree with you.
Quote:
Originally posted by slackhack
the man page really doesn't say that though, does it?
Quote:
Originally posted by TruckStuff
[No, it does] not really [say that], that's why I told him.
 
Old 10-03-2005, 09:45 AM   #14
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 47
Quote:
Originally posted by TruckStuff
Sorry, I was trying to agree with you.
okay. i just didn't understand why you were referring him there if it wasn't giving accurate info. but as long as we're in agreement, i'm fine with that.
 
Old 10-03-2005, 08:16 PM   #15
this213
Member
 
Registered: Dec 2001
Location: ./
Distribution: Fedora, CentOS, RHEL, Gentoo
Posts: 167

Rep: Reputation: 34
There is no requirement for AllowGroups if you're using AllowUsers

SSH will attempt to deny access from anyone it thinks you are trying to specify, by saying:
DenyUsers *
the fact that you're putting in an AllowUsers never gets read, because the daemon has already denied access to all users.

Using AllowUsers and AllowGroups, the daemon automatically figures you want to deny everyone else.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: deny all users, except one hamish Linux - Security 13 09-07-2008 08:58 PM
Slackware 10.0 and hosts.deny in reguards SSHD Smillie Slackware 10 03-24-2005 11:53 AM
Howto deny incoming connection to port 80? sys7em Linux - Security 5 10-31-2004 02:19 PM
Deny some users access to the web with IPtables? osX-linux Linux - Networking 4 06-22-2003 02:42 PM
how to deny all users in vsftp except one? lzyking Linux - Software 7 12-11-2002 11:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration