I have a requirement where a user should be allowed to ssh into a server and NOT be allowed to ssh or telnet out of the server.

Without having to uninstall these clients, how do I turn these clients off?

I also need to do this in Solaris, so if you know how, please share.

Chris

This is basically an access control issue. Very often access control can be accomplished by using secondary user groups. I would do these steps on both machines. This will work on Linux and Solaris and any other *nix.

I would create a user group for each of the utilities. One user group called ssh and another user group called telnet.

Then I would change the ownership of each of these utilities so that root is the individual owner account and the user group matching the name of each utility is the group owner of the utility.

Then I would ensure that the permissions on each of these utilities is 750.

Then on the first machine I would add the ssh user group to the user account in question.

Now we have an environment where a user account has to be a member of the group that owns each of these utilities in order to use them. Since the user account on the first machine is a member of the ssh user group that user will be able to use the ssh utility. No user accounts are members of the telnet user group so no user will be able to use telnet. The user account on the second machine is not a member of the ssh or the telnet user groups so that user account will not be able to use either the ssh or the telnet utilities on the second machine. Naturally you have to add these user groups to all of the user accounts that need to access these utilities.

User groups are great for access control.

Another option is to use iptables to prevent the user from starting outgoing connections. Example:

Of the various solutions that have been offered, the most sensible one to me seems to be the one that's based on iptables, because the requirement that "a user should be allowed to ssh into a server and NOT be allowed to ssh or telnet out of the server" seems (to me...) to be a requirement that would most-easily be achieved by filtering the TCP/IP traffic, not (if indeed it were possible...) the applications involved.

If the TCP/IP packets associated with incoming SSH traffic were permitted, while those associated with outgoing traffic were blocked, the objective would be reached. "Q.E.D."

Are there any changes in the configuraton files that can be done to turn off telnet & SSH clients?

Chris

I don't understand how I read the original post to mean one thing and everyone else read it to mean something different. I thought that the original post asked how to create this restriction for a particular user account. Everybody else read it to mean that all users should have this restriction. Corrado's follow up question seems to indicate that the second interpretation was correct. I just don't get how this happened. Since this happens pretty frequently I think I'll stop coming here and wasting my time. I guess my understanding of English is different than everybody else's.

I probably should have been more specific and stated that I was looking for a software client solution. I am very appreciative to all those who contribute.

Chris

I did too. My example would only restrict win32sux. Other users wouldn't be affected by the rule.

Would restricting outgoing ssh connections prevent the use of scp or sftp?

Yes. But with iptables it's hard if one only wants to prevent outgoing SSH, while allowing other types of traffic for the user. I mean, filtering port 22 isn't an effective way to prevent SSH/SCP/SFTP usage, as SSH dameons can listen on any port. My example simply denies the user the ability to start any outgoing connections at all. If certain outbound access does indeed need to be allowed for the user, then one can add rules for that. But one needs to be extremely careful to not add a rule that would allow the user to use sneakiness to SSH somewhere. This would more than likely involve IP whitelisting in one way or another.

Are there any changes in configuration files I could make on the client side, other than having to close ports or use iptables?

I believe there is such a way in server services. (/etc/xinit.d/telnet)

Chris

You can adjust the ownership scheme, as suggested by stress_junkie.

Yeah but client programs are a different matter.

Security is telling me that telnet client has to be disabled.

I attempted to remove the telnet client

But I see that it still remains as

Why is this?

Will removing kerberos break everything?

Chris

Anyone know the answer to the above? bump

Kerberos may or may not be important, depending on your system setup.

If you're in an environment with kerberos (eg: authenticating against active directory), taking out kerberos will break everything. If you're standalone, then it should be harmless.

I'd recommend chmod 700'ing or 000'ing the telnet client in question and seeing if it breaks anything over a couple days. Ripping out the whole kerberos system over its telnet client sounds ... rash.

I'd also say check back with your security folks and ask what the heck they actually want to accomplish. Telnet's a simple protocol, and just about any socket app can be used as a telnet client (eg: nc). If the system has a compiler on it, people can put the source for a telnet/ssh client on it and build it for themselves. If they've got write access to their own home directories, they can put their own ssh clients on the system, even if they can't compile them.

In other words, restricting access to the binary is a relatively stupid solution that only complies with the letter, not the spirit of the policy. Restricting new outgoing connections (eg: with iptables), on the other hand, would comply with the spirit of the policy.