Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
10-01-2005, 11:50 AM
|
#1
|
Member
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42
Rep:
|
HowTo sshd deny all users except for one?
I want to deny all sshd logins except for one for the duration of some server maintenance (on RH9 machine). I want to include the one user in case I get kicked off the box for some reason (bad network connection) and thus prevent myself from re-logging in.
I tried putting the following in /etc/ssh/sshd_config:
Code:
DenyUsers *
AllowUsers johndoe
..but that didn't seem to work. Might anyone have any additional suggestions?
The only things I can think to do is list _all_ the logins (but simply putting /etc/passwd through a filter to get all the logins on one line), but I'd like to find a more-effective process for handling this requirement in the future.
Thanks for any help,
-Matt
|
|
|
10-01-2005, 12:00 PM
|
#2
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
From man sshd_config:
Code:
AllowGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches one
of the patterns....
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. `*' and `?' can be
used as wildcards in the patterns.
So with
Code:
AllowUsers johndoe
AllowGroups users
only johndoe will be allowed to login.
|
|
|
10-02-2005, 08:54 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
PAM listfile.so
For completeness sake, and only on platforms where services use PAM, you could also edit /etc/pam.d/[servicename] and include an listfile line in the auth section. This gives you the ability to add usernames to a plain text file to be denied/allowed (according to the "sense" statement you supply listfile with). I use it because it's centralised, faster, can be used across (PAM-ified) services and doesn't need me to edit each and every daemon config.
|
|
|
10-02-2005, 09:52 AM
|
#4
|
Member
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42
Original Poster
Rep:
|
Quote:
Originally posted by TruckStuff
So with
Code:
AllowUsers johndoe
AllowGroups users
only johndoe will be allowed to login. [/B]
|
I'm missing something. Will not the above code allow all the users in group=users as well as johndoe?
Also, what happens when I don't want to have to know and/or manage all the different groups on a system? I just want to disallow everyone except one *user* without having to track down if there are more users not constrained by the group=user.
Does that point make any sense?
-Matt
|
|
|
10-02-2005, 09:54 AM
|
#5
|
Member
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42
Original Poster
Rep:
|
Re: PAM listfile.so
Quote:
Originally posted by unSpawn
For completeness sake, and only on platforms where services use PAM, you could also edit /etc/pam.d/[servicename] and include an listfile line in the auth section. This gives you the ability to add usernames to a plain text file to be denied/allowed (according to the "sense" statement you supply listfile with). I use it because it's centralised, faster, can be used across (PAM-ified) services and doesn't need me to edit each and every daemon config.
|
I'm not familiar with PAM, how it operates, nor how to manage it. Got a recommend link where I can read more?
I see http://www.kernel.org/pub/linux/libs...-html/pam.html , but I'm not sure it's appropriate or "best."
Thanks for any help,
-Matt
|
|
|
10-02-2005, 01:11 PM
|
#6
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Quote:
Originally posted by mattengland
I'm missing something.
|
Yes, you are. What you are missing is: man pages are always a good place to start (or even Google).
Quote:
Originally posted by mattengland
Will not the above code allow all the users in group=users as well as johndoe
|
No. Again from man sshd_config:
Code:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns.
You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
|
|
|
10-02-2005, 01:21 PM
|
#7
|
Member
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42
Original Poster
Rep:
|
Thanks for the clarification. Sorry I missed this originally.
-Matt
|
|
|
10-02-2005, 01:26 PM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
Got a recommend link where I can read more?
It's gotten lost somewhere in the depths of /usr/share/doc/pam-[0-9].* :-]
Check if you got a file "/lib/security/pam_listfile.so".
If you got /etc/pam.d/ssh, locate the lines starting with "auth" and add this line beneath the last "auth" statement:
Code:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd.allow onerr=fail
Now cat/echo/vi the username(s) you allow (one per line) to /etc/sshd.allow.
Done.
|
|
|
10-02-2005, 01:47 PM
|
#9
|
Senior Member
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016
Rep:
|
Quote:
Originally posted by TruckStuff
Yes, you are. What you are missing is:man pages are always a good place to start (or even Google). ...
You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
|
to be fair, the man page really doesn't say that though, does it?
Code:
AllowUsers
This keyword can be followed by a list of user name patterns, sepa-
rated by spaces. If specified, login is allowed only for user names
that match one of the patterns. '*' and '?' can be used as wild-
cards in the patterns. Only user names are valid; a numerical user
ID is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are sepa-
rately checked, restricting logins to particular users from particu-
lar hosts.
that doesn't mention anything about also having to have the AllowGroups directive present in the configuration. how is anyone supposed to know that (if in fact it's true)? just by guessing? there are dozens of other directives in the man pages, also. which other ones do we have to guess have to be present when using AllowUsers, or any other option?
if you read the AllowGroups description, it likewise doesn't mention anything about having to have that option specified if you are using AllowUsers. in fact, it even says that all groups are allowed by default if you don't include it!
Code:
AllowGroups
This keyword can be followed by a list of group name patterns, sepa-
rated by spaces. If specified, login is allowed only for users
whose primary group or supplementary group list matches one of the
patterns. '*' and '?' can be used as wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
By default, login is allowed for all groups.
so if anything, the logical thing to conclude from what the man pages say is that by not specifying AllowGroups, all groups are allowed, and you can then specify which users are allowed by using the AllowUsers option. anything concluded other than that would have to be called mindreading, clairvoyance (or poor documentation ).
|
|
|
10-02-2005, 01:55 PM
|
#10
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
Quote:
I tried putting the following in /etc/ssh/sshd_config:
Code:
DenyUsers *
AllowUsers johndoe
|
Just a wild guess - depending on which takes precendence (deny or allow) is it possible you're denying everyone with this config?
You said this didn't work but I am curious about how it failed. Was no one able to log in after that?
|
|
|
10-02-2005, 02:06 PM
|
#11
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Quote:
Originally posted by slackhack
to be fair, the man page really doesn't say that though, does it?
|
Not really, that's why I told him.
|
|
|
10-02-2005, 02:17 PM
|
#12
|
Senior Member
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016
Rep:
|
Quote:
Originally posted by TruckStuff
Not really, that's why I told him.
|
Quote:
Originally posted by TruckStuff
You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
|
please show me in the AllowUsers description where it says you also have to include the AllowGroups directive if you're using AllowUsers? or maybe i'm just misunderstanding you, too.
|
|
|
10-02-2005, 10:05 PM
|
#13
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Quote:
Originally posted by slackhack
|
Sorry, I was trying to agree with you.
Quote:
Originally posted by slackhack
the man page really doesn't say that though, does it?
|
Quote:
Originally posted by TruckStuff
[No, it does] not really [say that], that's why I told him.
|
|
|
|
10-03-2005, 09:45 AM
|
#14
|
Senior Member
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016
Rep:
|
Quote:
Originally posted by TruckStuff
Sorry, I was trying to agree with you.
|
okay. i just didn't understand why you were referring him there if it wasn't giving accurate info. but as long as we're in agreement, i'm fine with that.
|
|
|
10-03-2005, 08:16 PM
|
#15
|
Member
Registered: Dec 2001
Location: ./
Distribution: Fedora, CentOS, RHEL, Gentoo
Posts: 167
Rep:
|
There is no requirement for AllowGroups if you're using AllowUsers
SSH will attempt to deny access from anyone it thinks you are trying to specify, by saying:
DenyUsers *
the fact that you're putting in an AllowUsers never gets read, because the daemon has already denied access to all users.
Using AllowUsers and AllowGroups, the daemon automatically figures you want to deny everyone else.
|
|
|
All times are GMT -5. The time now is 07:25 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|