SSH login restriction for root user from perticular client
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSH login restriction for root user from perticular client
Hi,
I have Linux server having the IP address 10.140.1.1.
From seven work stations (IP’s are 10.140.1.2, 10.140.1.3…….10.140.1.8) I can connect to 10.140.1.1 using SSH and root user credentials are used for login.
Now my requirement is user should be allowed to do SSH to 10.140.1.1 from 10.140.1.2 and should not log in using root credentials. Where as from other work stations (10.140.1.3, 10.140.1.4….) SSH should be possible using root credentials also.
add a denyusers section: below is an excerpt from the man page
Quote:
DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.
Distribution: Linux Mint,Fedora, openSUSE, RHEL, SLES, Scientific Linux
Posts: 71
Rep:
Use the AllowUsers parameter:
AllowUsers: user1@10.140.1.1, root@10.140.1.3
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users. If the pattern takes the form
USER@HOST then USER and HOST are separately checked, restricting
logins to particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.
From seven work stations (IP’s are 10.140.1.2, 10.140.1.3…….10.140.1.8) I can connect to 10.140.1.1 using SSH and root user credentials are used for login.
So you can have up to 7 people logging in as root? Excuse me, but that is just not a good way to go.
Quote:
Now my requirement is user should be allowed to do SSH to 10.140.1.1 from 10.140.1.2 and should not log in using root credentials. Where as from other work stations (10.140.1.3, 10.140.1.4….) SSH should be possible using root credentials also.
Instead of trying to use IP addresses to filter who does or does not have root access, how about looking at what functions need to be performed as root and using sudo to give specific people permission to do those. Maybe I'm not understanding something, but it sounds like you're trying to solve a problem the wrong way. An explanation of what you're trying to do may help.
although i can deny that particular workstation to login directly using root, still that workstation can login with other user name and can use su . than is blocking that particular ip making any sense!!!
although i can deny that particular workstation to login directly using root, still that workstation can login with other user name and can use su . than is blocking that particular ip making any sense!!!
DenyUser deny userlogin
if you want to deny ssh from particular ip then you can user /etc/hosts.deny
Code:
sshd: ipaddress
or you can define iptables rule.
Last edited by sem007; 08-19-2010 at 05:03 AM.
Reason: add more info
Our linux server is having IP address 10.140.1.1. From the workstation 10.140.1.2 only user test is allowed to do the SSH (root credentials are restricted).
Now user test is connecting to server 10.140.1.1 from the client 10.140.1.2 and switching to root account using command su.
Please suggest me how can we block the user test to use su command once when he connect to 10.140.1.1
Please suggest me how can we block the user test to use su command once when he connect to 10.140.1.1
As long as test has the root password (which presumably they do since they can su to root), there really isn't much you can do. Once again, I think you're looking at the problem the wrong way unless I'm not understanding something. If the user test has the need to run some commands as root, you should be using sudo to grant permission to just those commands. What you shouldn't be doing is handing out the root password and then trying to jury-rig restrictions.
changes permissions on the ssh command such that the user in question can't run it, for example make a group called ssh
change the ownership of ssh to root:ssh with permissions 550 then only root and users in the ssh group could run ssh
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.