HPE Community
Operating System - HP-UX
1756804 Members
2755 Online
108852 Solutions
New Discussion юеВ

deney access to specific users with ssh

 
Ratzie
Super Advisor

тАО12-07-2003 03:10 PM

тАО12-07-2003 03:10 PM

deney access to specific users with ssh

We are trying to lock down our system and with that, we have started using ssh.

How do we disable ssh login for specific users...
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО12-07-2003 03:41 PM

тАО12-07-2003 03:41 PM

Re: deney access to specific users with ssh

passwd -l username

or

/var/adm/inetd.sec

You should be able to block by username there.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Joseph Loo
Honored Contributor

тАО12-07-2003 04:05 PM

тАО12-07-2003 04:05 PM

Re: deney access to specific users with ssh

Hi,

inetd.sec allows you to deny access to the hostname/s or ip address/es of the workstations.

# ssh deny/allow [ip or range of ip]
# ssh deny/allow [hostname/s]

In fact, I would also like to know how to disable certain services to specific user.

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Ratzie
Super Advisor

тАО12-08-2003 04:23 AM

тАО12-08-2003 04:23 AM

Re: deney access to specific users with ssh

I found the answer.
In sshd_config

DenyUsers

0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

тАО12-08-2003 05:20 AM

тАО12-08-2003 05:20 AM

Re: deney access to specific users with ssh

Another effective way is to use /etc/hosts.allow... and /etc/hosts.deny...

You can configure it to only allow ranges and only certain IPs...

here is a great link to it.


http://ezine.daemonnews.org/200206/hosts_allow.html


Shows full syntax and application.


Be sure to put any "deny" statements ahead of an "allow all" statements... in the /etc/hosts.allow file...

sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow

In deny file, deny all:all. Use the hosts.allow to manage services as I have in my example.


# cat /etc/hosts.allow
#all : all : banners=/usr/localcw/opt/sysguard/banners : allow
ftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : all : banners=/usr/localcw/opt/sysguard/banners : allow
tftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
logind : all : banners=/usr/localcw/opt/sysguard/banners : allow
rlogind : all : banners=/usr/localcw/opt/sysguard/banners : allow
remshd: all : banners=/usr/localcw/opt/sysguard/banners : allow
sidftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
rexecd : all : banners=/usr/localcw/opt/sysguard/banners : allow
sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow

Unix, the other white meat.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.