[techtalk] login restriction
Magni Onsoien
magnio at pvv.ntnu.no
Sat Jul 8 15:06:07 EST 2000
jenn at simegen.com:
> Summary:
>
> /bin/false or /bin/true as a login shell prevents an individual from
> logging in via telnet, ssh or rlogin.
>
> Closing off rlogind and telnetd prevents ANYONE from logging in via
> rlogin or telnet. (But not ssh. Which is usually deliberately permitted)
sshd is usually started from init, not from inetd. (The services listed
in /etc/inetd.conf are started from inetd, on demand when someone is
requesting a service.) sshd may be started from inetd, but as sshd wants
to generate a key when it starts, staring it from inetd will make it
pretty sluggish. But you can edit the sshd_config, usually in
/etc/ssh/sshd_config og /etc/sshd_config, and say
AllowHost your.machine.com *.workdomain.com another.machine.net
AllowUser you yourfriend
to allow only you and yourfriend logging in from only the machines
listed in AllowHost. *.workdomain.com means that you can log in from any
machine at work, useful if you are using many machines or if your work
is using dhcp.
ALternatively you can use AllowGroups to allow anyone in the group you
list to log in. Nice if all the admin-members should be able to log in.
All the above are also available with Deny instead of Allow. The
difference is left as an execise for the reader ;) (And is less
restrictive.)
With
SilentDeny yes
anyone who are denied login will just be silently rejected, they don't
know if it's due to bad password, wrong username, wrong machine or
something else. Good practice, even if confusing if debugging :)
You must restart sshd with SIGHUP - kill -HUP <sshd-pid> - for the
changes to take effect.
Magni :)
--
ulimit is good for you.
More information about the Techtalk
mailing list