SSH login restriction for root user from perticular client

gajanan · 08-18-2010, 04:57 AM

Hi,
I have Linux server having the IP address 10.140.1.1.
From seven work stations (IP’s are 10.140.1.2, 10.140.1.3…….10.140.1.8) I can connect to 10.140.1.1 using SSH and root user credentials are used for login.
Now my requirement is user should be allowed to do SSH to 10.140.1.1 from 10.140.1.2 and should not log in using root credentials. Where as from other work stations (10.140.1.3, 10.140.1.4….) SSH should be possible using root credentials also.

Please let me know if you have any solution.

Thank You,
Gajanan

estabroo · 08-18-2010, 06:42 AM

add a denyusers section: below is an excerpt from the man page

Quote:

DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.

rgdacosta · 08-18-2010, 06:56 AM

Use the AllowUsers parameter:

AllowUsers: user1@10.140.1.1, root@10.140.1.3

AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users. If the pattern takes the form
USER@HOST then USER and HOST are separately checked, restricting
logins to particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.

sem007 · 08-18-2010, 07:01 AM

It is not good practice to login root user from remote.

Code:

$ sudo vi /etc/ssh/sshd_config
DenyUsers root@ipaddress
i.e
DenyUsers root@10.140.1.2

HTH

Hangdog42 · 08-18-2010, 11:53 AM

Quote:

From seven work stations (IP’s are 10.140.1.2, 10.140.1.3…….10.140.1.8) I can connect to 10.140.1.1 using SSH and root user credentials are used for login.

So you can have up to 7 people logging in as root? Excuse me, but that is just not a good way to go.

Quote:

Now my requirement is user should be allowed to do SSH to 10.140.1.1 from 10.140.1.2 and should not log in using root credentials. Where as from other work stations (10.140.1.3, 10.140.1.4….) SSH should be possible using root credentials also.

Instead of trying to use IP addresses to filter who does or does not have root access, how about looking at what functions need to be performed as root and using sudo to give specific people permission to do those. Maybe I'm not understanding something, but it sounds like you're trying to solve a problem the wrong way. An explanation of what you're trying to do may help.

GreyCode · 08-18-2010, 11:17 PM

although i can deny that particular workstation to login directly using root, still that workstation can login with other user name and can use su . than is blocking that particular ip making any sense!!!

sem007 · 08-19-2010, 05:00 AM

Quote:

Originally Posted by GreyCode

although i can deny that particular workstation to login directly using root, still that workstation can login with other user name and can use su . than is blocking that particular ip making any sense!!!

DenyUser deny userlogin

if you want to deny ssh from particular ip then you can user /etc/hosts.deny

Code:

sshd: ipaddress

or you can define iptables rule.

gajanan · 08-20-2010, 05:24 AM

Hi All,

Thanks for your valuable suggestion. It is working for me.

Regards,
Gajanan

gajanan · 08-20-2010, 05:37 AM

Hi,

Our linux server is having IP address 10.140.1.1. From the workstation 10.140.1.2 only user test is allowed to do the SSH (root credentials are restricted).
Now user test is connecting to server 10.140.1.1 from the client 10.140.1.2 and switching to root account using command su.

Please suggest me how can we block the user test to use su command once when he connect to 10.140.1.1

Thank You.

Regards,
Gajanan

Hangdog42 · 08-20-2010, 07:00 AM

Quote:

Please suggest me how can we block the user test to use su command once when he connect to 10.140.1.1

As long as test has the root password (which presumably they do since they can su to root), there really isn't much you can do. Once again, I think you're looking at the problem the wrong way unless I'm not understanding something. If the user test has the need to run some commands as root, you should be using sudo to grant permission to just those commands. What you shouldn't be doing is handing out the root password and then trying to jury-rig restrictions.

gajanan · 08-24-2010, 04:51 AM

Hi,

Please help me to know how can we block user from executing SSH command in linux server.

Thank You,
Gajanan

estabroo · 08-24-2010, 07:17 AM

changes permissions on the ssh command such that the user in question can't run it, for example make a group called ssh
change the ownership of ssh to root:ssh with permissions 550 then only root and users in the ssh group could run ssh