How to PREVENT a user from logging in through SSH

Given prevalence of SSH dictionary attacks, I want to fortify my
systems a little.

I have several local (inside the house) users who I do NOT want to be
able to log on from outside via ssh.

I would like to disable any remote SSH logins for these users.

How can I do that?

thanks

Ignoramus10392 wrote:
> Given prevalence of SSH dictionary attacks, I want to fortify my
> systems a little.
>
> I have several local (inside the house) users who I do NOT want to be
> able to log on from outside via ssh.
>
> I would like to disable any remote SSH logins for these users.
>
> How can I do that?
>
> thanks

man 5 sshd_config
Look at the AllowUsers / DenyUsers entries

On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
> Ignoramus10392 wrote:
>> Given prevalence of SSH dictionary attacks, I want to fortify my
>> systems a little.
>>
>> I have several local (inside the house) users who I do NOT want to be
>> able to log on from outside via ssh.
>>
>> I would like to disable any remote SSH logins for these users.
>>
>> How can I do that?
>>
>> thanks
>
> man 5 sshd_config
> Look at the AllowUsers / DenyUsers entries

Looks great to me. Thanks. I assume that if I say AllowUsers
....,root,... then, on conjunctions with PermitRootLogin
without-password the passworded root login will not be allowed.

I will try to verify everything.

i

Ignoramus10392 wrote:
> On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
>> Ignoramus10392 wrote:
>>> Given prevalence of SSH dictionary attacks, I want to fortify my
>>> systems a little.
>>>
>>> I have several local (inside the house) users who I do NOT want to be
>>> able to log on from outside via ssh.
>>>
>>> I would like to disable any remote SSH logins for these users.
>>>
>>> How can I do that?
>>>
>>> thanks
>> man 5 sshd_config
>> Look at the AllowUsers / DenyUsers entries
>
> Looks great to me. Thanks. I assume that if I say AllowUsers
> ...,root,... then, on conjunctions with PermitRootLogin
> without-password the passworded root login will not be allowed.
>
> I will try to verify everything.
>
> i

Security-wise it would be better to say "PermitRootLogin no" and
"su"||"sudo" when needed. Also, setting "PasswordAuthentication no" and
using Public Key Authentication is a good idea.

hth
/peter

On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
> Ignoramus10392 wrote:
>> On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
>>> Ignoramus10392 wrote:
>>>> Given prevalence of SSH dictionary attacks, I want to fortify my
>>>> systems a little.
>>>>
>>>> I have several local (inside the house) users who I do NOT want to be
>>>> able to log on from outside via ssh.
>>>>
>>>> I would like to disable any remote SSH logins for these users.
>>>>
>>>> How can I do that?
>>>>
>>>> thanks
>>> man 5 sshd_config
>>> Look at the AllowUsers / DenyUsers entries
>>
>> Looks great to me. Thanks. I assume that if I say AllowUsers
>> ...,root,... then, on conjunctions with PermitRootLogin
>> without-password the passworded root login will not be allowed.
>>
>> I will try to verify everything.
>>
>> i
>
> Security-wise it would be better to say "PermitRootLogin no" and
> "su"||"sudo" when needed. Also, setting "PasswordAuthentication no" and
> using Public Key Authentication is a good idea.
>
> hth
> /peter

Thanks. It worked fine. I have permitrootlogin without-password.

I do need from time to time to perform root tasks from scripts, for
example restarting named after DNS zone files update. I cannot fully
disable root login, though not letting passworded root logins is a
good idea which I already follow.

Setting PasswordAuthentication to no seems like a very dangerous idea
that can leave me stranded.

i

On 2008-04-07, Ignoramus10392 <(E-Mail Removed)> wrote:
>
> I do need from time to time to perform root tasks from scripts, for
> example restarting named after DNS zone files update.

That is what su and sudo are for.

--keith

--
kkeller-(E-Mail Removed)
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

Ignoramus10392 <(E-Mail Removed)> writes:

>On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
>> Ignoramus10392 wrote:
>>> On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
>>>> Ignoramus10392 wrote:
>>>>> Given prevalence of SSH dictionary attacks, I want to fortify my
>>>>> systems a little.
>>>>>
>>>>> I have several local (inside the house) users who I do NOT want to be
>>>>> able to log on from outside via ssh.
>>>>>
>>>>> I would like to disable any remote SSH logins for these users.
>>>>>
>>>>> How can I do that?
>>>>>
>>>>> thanks
>>>> man 5 sshd_config
>>>> Look at the AllowUsers / DenyUsers entries
>>>
>>> Looks great to me. Thanks. I assume that if I say AllowUsers
>>> ...,root,... then, on conjunctions with PermitRootLogin
>>> without-password the passworded root login will not be allowed.
>>>
>>> I will try to verify everything.
>>>
>>> i
>>
>> Security-wise it would be better to say "PermitRootLogin no" and
>> "su"||"sudo" when needed. Also, setting "PasswordAuthentication no" and
>> using Public Key Authentication is a good idea.
>>
>> hth
>> /peter

>Thanks. It worked fine. I have permitrootlogin without-password.

>I do need from time to time to perform root tasks from scripts, for
>example restarting named after DNS zone files update. I cannot fully
>disable root login, though not letting passworded root logins is a
>good idea which I already follow.

You did not understand him. Disallow root logins. Then you can get in as
yourself and then su or sudo to root.
If you put yourself into the sudo list then you could do a passwordless
root login to yourself, and run the script which has a sudo in it to allow
root to do the things it needs to do. You can also make sure that sudo only
allows a few commands to be done in that way.



>Setting PasswordAuthentication to no seems like a very dangerous idea
>that can leave me stranded.

How?

On 2008-04-07, Keith Keller <kkeller-(E-Mail Removed)> wrote:
> On 2008-04-07, Ignoramus10392 <(E-Mail Removed)> wrote:
>>
>> I do need from time to time to perform root tasks from scripts, for
>> example restarting named after DNS zone files update.
>
> That is what su and sudo are for.
>
>

I thought that both su and sudo require the user to enter a password?

i

On 2008-04-07, Unruh <unruh-(E-Mail Removed)> wrote:
> Ignoramus10392 <(E-Mail Removed)> writes:
>
>>On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
>>> Ignoramus10392 wrote:
>>>> On 2008-04-07, Peter Ludikovsky <(E-Mail Removed)> wrote:
>>>>> Ignoramus10392 wrote:
>>>>>> Given prevalence of SSH dictionary attacks, I want to fortify my
>>>>>> systems a little.
>>>>>>
>>>>>> I have several local (inside the house) users who I do NOT want to be
>>>>>> able to log on from outside via ssh.
>>>>>>
>>>>>> I would like to disable any remote SSH logins for these users.
>>>>>>
>>>>>> How can I do that?
>>>>>>
>>>>>> thanks
>>>>> man 5 sshd_config
>>>>> Look at the AllowUsers / DenyUsers entries
>>>>
>>>> Looks great to me. Thanks. I assume that if I say AllowUsers
>>>> ...,root,... then, on conjunctions with PermitRootLogin
>>>> without-password the passworded root login will not be allowed.
>>>>
>>>> I will try to verify everything.
>>>>
>>>> i
>>>
>>> Security-wise it would be better to say "PermitRootLogin no" and
>>> "su"||"sudo" when needed. Also, setting "PasswordAuthentication no" and
>>> using Public Key Authentication is a good idea.
>>>
>>> hth
>>> /peter
>
>>Thanks. It worked fine. I have permitrootlogin without-password.
>
>>I do need from time to time to perform root tasks from scripts, for
>>example restarting named after DNS zone files update. I cannot fully
>>disable root login, though not letting passworded root logins is a
>>good idea which I already follow.
>
> You did not understand him. Disallow root logins. Then you can get in as
> yourself and then su or sudo to root.

automatically from a script?

> If you put yourself into the sudo list then you could do a
> passwordless root login to yourself, and run the script which has a
> sudo in it to allow root to do the things it needs to do. You can
> also make sure that sudo only allows a few commands to be done in
> that way.

I guess I was mistaken, but I thought that both sudo and su require me
to enter some kind of password (mine or root's). Is that wrong?

i

On 2008-04-07, Ignoramus10392 <(E-Mail Removed)> wrote:
> On 2008-04-07, Keith Keller <kkeller-(E-Mail Removed)> wrote:
>> On 2008-04-07, Ignoramus10392 <(E-Mail Removed)> wrote:
>>>
>>> I do need from time to time to perform root tasks from scripts, for
>>> example restarting named after DNS zone files update.
>>
>> That is what su and sudo are for.
>>
>>
>
> I thought that both su and sudo require the user to enter a password?
>
su does requires the password of the user you are switching to (unless
you're root already). sudo *normally* requires the password of the
user who invokes it as a additional security measure but can be
configured to not require it. I would regard setting up a utility
account with NOPASSWORD sudo privileges as more secure than letting
root log directly in via SSH, as you can limit the utility account
to be able to do as root only the things you list in sudo.

--
Christopher Mattern

NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities