Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is basically an access control issue. Very often access control can be accomplished by using secondary user groups. I would do these steps on both machines. This will work on Linux and Solaris and any other *nix.
I would create a user group for each of the utilities. One user group called ssh and another user group called telnet.
Then I would change the ownership of each of these utilities so that root is the individual owner account and the user group matching the name of each utility is the group owner of the utility.
Then I would ensure that the permissions on each of these utilities is 750.
Then on the first machine I would add the ssh user group to the user account in question.
Now we have an environment where a user account has to be a member of the group that owns each of these utilities in order to use them. Since the user account on the first machine is a member of the ssh user group that user will be able to use the ssh utility. No user accounts are members of the telnet user group so no user will be able to use telnet. The user account on the second machine is not a member of the ssh or the telnet user groups so that user account will not be able to use either the ssh or the telnet utilities on the second machine. Naturally you have to add these user groups to all of the user accounts that need to access these utilities.
User groups are great for access control.
Last edited by stress_junkie; 10-01-2007 at 06:23 PM.
Of the various solutions that have been offered, the most sensible one to me seems to be the one that's based on iptables, because the requirement that "a user should be allowed to ssh into a server and NOT be allowed to ssh or telnet out of the server" seems (to me...) to be a requirement that would most-easily be achieved by filtering the TCP/IP traffic, not (if indeed it were possible...) the applications involved.
If the TCP/IP packets associated with incoming SSH traffic were permitted, while those associated with outgoing traffic were blocked, the objective would be reached. "Q.E.D."
I don't understand how I read the original post to mean one thing and everyone else read it to mean something different. I thought that the original post asked how to create this restriction for a particular user account. Everybody else read it to mean that all users should have this restriction. Corrado's follow up question seems to indicate that the second interpretation was correct. I just don't get how this happened. Since this happens pretty frequently I think I'll stop coming here and wasting my time. I guess my understanding of English is different than everybody else's.
Last edited by stress_junkie; 10-02-2007 at 09:42 AM.
I probably should have been more specific and stated that I was looking for a software client solution. I am very appreciative to all those who contribute.
Would restricting outgoing ssh connections prevent the use of scp or sftp?
Yes. But with iptables it's hard if one only wants to prevent outgoing SSH, while allowing other types of traffic for the user. I mean, filtering port 22 isn't an effective way to prevent SSH/SCP/SFTP usage, as SSH dameons can listen on any port. My example simply denies the user the ability to start any outgoing connections at all. If certain outbound access does indeed need to be allowed for the user, then one can add rules for that. But one needs to be extremely careful to not add a rule that would allow the user to use sneakiness to SSH somewhere. This would more than likely involve IP whitelisting in one way or another.
Kerberos may or may not be important, depending on your system setup.
If you're in an environment with kerberos (eg: authenticating against active directory), taking out kerberos will break everything. If you're standalone, then it should be harmless.
I'd recommend chmod 700'ing or 000'ing the telnet client in question and seeing if it breaks anything over a couple days. Ripping out the whole kerberos system over its telnet client sounds ... rash.
I'd also say check back with your security folks and ask what the heck they actually want to accomplish. Telnet's a simple protocol, and just about any socket app can be used as a telnet client (eg: nc). If the system has a compiler on it, people can put the source for a telnet/ssh client on it and build it for themselves. If they've got write access to their own home directories, they can put their own ssh clients on the system, even if they can't compile them.
In other words, restricting access to the binary is a relatively stupid solution that only complies with the letter, not the spirit of the policy. Restricting new outgoing connections (eg: with iptables), on the other hand, would comply with the spirit of the policy.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.