|
|
10-06-2003, 01:13 PM
|
#1 |
|
Triple-A Player
Join Date: May 2003
Posts: 65
|
preventing an ssh login for certain users
Hello-
This isn't quite a UNIX question, but this seemed like the best place for it, so.... I'm trying to create a user on my machine that guests to my home can use to check their e-mail and surf the Web. I would like to set this user up with a fairly obvious password (like "guest") so that people don't need my help every time they want to log in. I'm confident in the physical security of my machine (i.e., no one's going to get into my office without my knowledge -- and if they do, I have bigger problems than the fact that they'll be able to access a user account on my computer). However, I don't want to leave myself open to outside attacks. I have ssh access set up under my user account. I know that when you set up a new user, you can turn off "remote access" and the like under the Sharing panel. Will this ensure that the ONLY way to log in as this user will be at the computer's physical keyboard? Thanks in advance, jf Last edited by jfruh; 10-06-2003 at 01:16 PM. |
|
|
|
10-06-2003, 01:21 PM
|
#2 |
|
Moderator
Join Date: Jan 2002
Posts: 10,652
|
Turning on/off Personal Sharing & Remote Access can only be done by an admin user. It's an all or nothing thing, so in order to keep outsiders from getting into that machine via ssh you'd have to 1) turn off ssh or 2) have a very good password.
__________________
Chameleon's Consignment Loft] |
|
|
|
|
10-06-2003, 01:30 PM
|
#3 |
|
Triple-A Player
Join Date: May 2003
Posts: 65
|
yes, i just tried this out and noticed this fact! i've discovered another way to work around this: identify the password in the "long name" of the user that appears on the login screen. thus it can be a "strong" password but still obvious to anyone actually sitting at the computer, though not a remote attacker. how does that sound?
jf |
|
|
|
|
10-06-2003, 01:31 PM
|
#4 |
|
Moderator
Join Date: Jan 2002
Posts: 10,652
|
I wouldn't do that.. You'd be surpised the strange places that your long name shows up.. it could be given away by your web browser or a chat client, etc. You could just put the password in the password hint field, or (the 'safest' solution) just put a sticky note on your monitor with the password and change it often.
__________________
Chameleon's Consignment Loft] |
|
|
|
|
10-06-2003, 01:34 PM
|
#5 |
|
Moderator
Join Date: Jan 2002
Location: Montreal
Posts: 29,278
|
I don't know what the facilities in the Accounts Preferences pane do, but a reading of 'man sshd_config' shows that you can specify who gets ssh access via the AllowUsers and AllowGroups directives in /etc/sshd_config.
|
|
|
|
|
10-06-2003, 01:45 PM
|
#6 |
|
League Commissioner
Join Date: Jan 2002
Posts: 5,536
|
another way to block ssh in this guest user situation is to assign /sbin/nologin as the account's login shell in netinfo manager.
no? [edit: added "login shell"] Last edited by mervTormel; 10-06-2003 at 03:09 PM. |
|
|
|
|
10-06-2003, 02:48 PM
|
#7 |
|
Triple-A Player
Join Date: May 2003
Posts: 65
|
my solution
thanks everyone for your help! the solution that i used is as follows:
1. open /etc/sshd_conifg in your favorite text editor. 2. add the following line: AllowUsers username1 username2 replacing username1 and 2 with the short usernames of those users who *will* be able to log in via ssh. you can add as many as you want, separated by spaces. 3. restart the ssh daemon (or, as i did, the computer) voila! if anyone attempts to log in via ssh with a username that is not in the list after "AllowUsers", it will be as if they are trying to log in to an account that does not exist. |
|
|
|
|
10-06-2003, 02:56 PM
|
#8 |
|
Moderator
Join Date: Jan 2002
Posts: 10,652
|
Very cool.. good to know.
__________________
Chameleon's Consignment Loft] |
|
|
|
 |
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Hybrid Mode
