[Gllug] Restricting logins

Ian Northeast ian at house-from-hell.demon.co.uk
Fri Apr 2 19:40:52 UTC 2004 

Henrik Morsing wrote:

>>Also, I would like to make it impossible to log in to these users by
>>ssh. This must be possible, but how?
> 
> 
> If you add an AllowUsers statement to the sshd_config, with all the
> *other* users in it, you can prevent this user to log in.

I prefer to create a group for the purpose, put AllowGroups in 
sshd_config and put the legitimate users in that group.

I don't like Alain's alternative of a list of users who *can't* ssh; 
while it is true that you will get less complaints, you also get less 
security and an error is unlikely to be noticed. If you have a list of 
allowed users, whether by putting it in sshd_config or its being the 
membership of a group, then errors will be noticed quickly enough and as 
long as you are prompt in responding to complaints no-one will be 
particularly annoyed.

I actually only do any of this on machines where security is paramount, 
which in my case is just the Internet facing servers in the DMZs. I am 
reasonably confident that there is no-one in the company with both the 
expertise and the inclination to do any serious hacking. Mainly it's the 
expertise that's lacking:) Anyone who has it most likely has root 
legitimately anyway. Over the years I have discovered some most 
appalling security holes but I've never seen anyone exploit them (except 
me, once, when the only person with the root password of a particular 
box got canned abruptly and I inherited it. Said box ran AIX and 
rescuing a lost root on AIX is a fairly painful exercise). If we had 
lots of whizzo geeky programmers around I'd be worried but we don't.

All of the internal hacking attempts I have seen have been truly inept. 
The favourite one is logging on to a colleague's (or in one case the 
MD's) email account on our proprietary mainframe based system and 
sending an offensive email. Using their own signon on the proprietary 
mainframe session manager. A quick run through the logs and.. I don't 
like being responsible for getting someone sacked but these people 
really asked for it. Actually if I was writing the rules the people who 
set their email password to "email" would have been sacked too but.. 
Well, one of them was the MD:)

Reagards, Ian



-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list