System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

User creation only for SHH // How to

 
txtraz
Advisor

User creation only for SHH // How to

Hello Guys
How do i create a user only for ssh.
the user must do anything without SSH

Thanks;
1 REPLY
Matti_Kurkela
Honored Contributor

Re: User creation only for SHH // How to

If you want to force *all* users to use SSH, the simplest and recommended solution would be to disable (comment out) the other login methods (telnet, rexec, rlogin, rsh, ftp) from /etc/inetd.conf. Then send a "kill -HUP" to the inetd process to make it use the new configuration.

But if you want to do this for *just one* user, it's a bit more difficult. Fortunately sshd sets up a special environment variable SSH_CLIENT: we can test in a login script if it exists and terminate the session if it is not there.

Disclaimer: the following pieces of script are NOT TESTED, use them at your own risk. Test them well before using in production systems.

Maybe adding something like this in /etc/profile would work:
(assuming that the username to block is "sshuser")

if [ $(whoami) = "sshuser" ]; then
if [ "$SSH_CLIENT" = "" ]; then
logger -p auth.notice "Unauthorized non-SSH login attempt blocked"
echo "Access Denied"
exit # end session!
fi
fi

To stop the user from avoiding the block by changing his/her shell, you must also do the same thing in /etc/csh.login (using csh syntax):

if ( "$user" == "sshuser" ) then
if ( ! $?SSH_CLIENT ) then
logger -p auth.notice "Unauthorized non-SSH login attempt blocked"
echo "Access Denied"
exit # end session!
endif
endif

You should also add the user to the ftpusers file to prevent him/her from using un-encrypted FTP. If you have other services that allow un-encrypted access, you should examine their documentation to find ways to disable them for that user.

MK
MK