- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- User creation only for SHH // How to
Operating System - Linux
1753777
Members
7499
Online
108799
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2009 09:55 PM
07-28-2009 09:55 PM
User creation only for SHH // How to
Hello Guys
How do i create a user only for ssh.
the user must do anything without SSH
Thanks;
How do i create a user only for ssh.
the user must do anything without SSH
Thanks;
1 REPLY 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2009 12:41 AM
07-29-2009 12:41 AM
Re: User creation only for SHH // How to
If you want to force *all* users to use SSH, the simplest and recommended solution would be to disable (comment out) the other login methods (telnet, rexec, rlogin, rsh, ftp) from /etc/inetd.conf. Then send a "kill -HUP" to the inetd process to make it use the new configuration.
But if you want to do this for *just one* user, it's a bit more difficult. Fortunately sshd sets up a special environment variable SSH_CLIENT: we can test in a login script if it exists and terminate the session if it is not there.
Disclaimer: the following pieces of script are NOT TESTED, use them at your own risk. Test them well before using in production systems.
Maybe adding something like this in /etc/profile would work:
(assuming that the username to block is "sshuser")
if [ $(whoami) = "sshuser" ]; then
if [ "$SSH_CLIENT" = "" ]; then
logger -p auth.notice "Unauthorized non-SSH login attempt blocked"
echo "Access Denied"
exit # end session!
fi
fi
To stop the user from avoiding the block by changing his/her shell, you must also do the same thing in /etc/csh.login (using csh syntax):
if ( "$user" == "sshuser" ) then
if ( ! $?SSH_CLIENT ) then
logger -p auth.notice "Unauthorized non-SSH login attempt blocked"
echo "Access Denied"
exit # end session!
endif
endif
You should also add the user to the ftpusers file to prevent him/her from using un-encrypted FTP. If you have other services that allow un-encrypted access, you should examine their documentation to find ways to disable them for that user.
MK
But if you want to do this for *just one* user, it's a bit more difficult. Fortunately sshd sets up a special environment variable SSH_CLIENT: we can test in a login script if it exists and terminate the session if it is not there.
Disclaimer: the following pieces of script are NOT TESTED, use them at your own risk. Test them well before using in production systems.
Maybe adding something like this in /etc/profile would work:
(assuming that the username to block is "sshuser")
if [ $(whoami) = "sshuser" ]; then
if [ "$SSH_CLIENT" = "" ]; then
logger -p auth.notice "Unauthorized non-SSH login attempt blocked"
echo "Access Denied"
exit # end session!
fi
fi
To stop the user from avoiding the block by changing his/her shell, you must also do the same thing in /etc/csh.login (using csh syntax):
if ( "$user" == "sshuser" ) then
if ( ! $?SSH_CLIENT ) then
logger -p auth.notice "Unauthorized non-SSH login attempt blocked"
echo "Access Denied"
exit # end session!
endif
endif
You should also add the user to the ftpusers file to prevent him/her from using un-encrypted FTP. If you have other services that allow un-encrypted access, you should examine their documentation to find ways to disable them for that user.
MK
MK
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP