Re: [gentoo-user] Disable remote login for certain user
On Saturday January 17 2009 03:28:07 Grant wrote: an ssh config setting, in shorewall, or somewhere else? You can: 1) use pam as described by Mike or 2) use sshd_config AllowUsers or 3) What I usually do is, disable pam in ssh so only keys are accepted. Only if you have the key, you can login remotely. Of course that means you will have to carry your usb pendrive with you all the time :-) Regards, Norberto
Re: [gentoo-user] Disable remote login for certain user
an ssh config setting, in shorewall, or somewhere else? You can: 1) use pam as described by Mike or 2) use sshd_config AllowUsers Thanks a lot, I went with 'AllowUsers root' in sshd_config since sshd is the only service running on the system. - Grant or 3) What I usually do is, disable pam in ssh so only keys are accepted. Only if you have the key, you can login remotely. Of course that means you will have to carry your usb pendrive with you all the time :-) Regards, Norberto
Re: [gentoo-user] Disable remote login for certain user
Should I do that via an ssh config setting, in shorewall, or somewhere else? I believe the right way would be to add 'account required pam_access.so' line to /etc/pam.d/system-auth and define login restrictions in /etc/securety/access.conf (it's also quite well documented). That way you'll block ssh/ftp/mail etc logins for that account, which should also be prone to brutforce attacks because of weak password. The catch is, of course, that you should have pam on your system ;) -- Mike Kazantsev // fraggod.net Can anyone tell me how to find out which users on a system have a login shell (e.g. not /bin/nologin)? - Grant
Re: [gentoo-user] Disable remote login for certain user
On Samstag 17 Januar 2009, Grant wrote: an ssh config setting, in shorewall, or somewhere else? You can: 1) use pam as described by Mike or 2) use sshd_config AllowUsers Thanks a lot, I went with 'AllowUsers root' in sshd_config since sshd is the only service running on the system. I really would not do that. Instead create a user to log in and su to root. Root should not be allowed to log in - way to risky.
Re: [gentoo-user] Disable remote login for certain user
an ssh config setting, in shorewall, or somewhere else? You can: 1) use pam as described by Mike or 2) use sshd_config AllowUsers Thanks a lot, I went with 'AllowUsers root' in sshd_config since sshd is the only service running on the system. I really would not do that. Instead create a user to log in and su to root. Root should not be allowed to log in - way to risky. Is the idea to put 2 passwords in the way of gaining root access? The problem is twice as many passwords to memorize. Even if the 2 passwords are the same, I suppose they would have to come up with the username too which is a (thin) extra layer. Is that done with 'AllowUsers user'? - Grant
Re: [gentoo-user] Disable remote login for certain user
Grant wrote: an ssh config setting, in shorewall, or somewhere else? You can: 1) use pam as described by Mike or 2) use sshd_config AllowUsers Thanks a lot, I went with 'AllowUsers root' in sshd_config since sshd is the only service running on the system. I really would not do that. Instead create a user to log in and su to root. Root should not be allowed to log in - way to risky. Is the idea to put 2 passwords in the way of gaining root access? The problem is twice as many passwords to memorize. Even if the 2 passwords are the same, I suppose they would have to come up with the username too which is a (thin) extra layer. Is that done with 'AllowUsers user'? - Grant I would think the point is every hacker out there knows the user root exists. They may not know the other users but they know root is there so they just script the user root and bang away at passwords and hope they get lucky. Eventually, they will get lucky if they try long enough. Think of it this way. If root is disabled, they have to figure out which user can su to root since all may not be allowed to. They also have to guess that users password. Then on top of that they have to guess the root password too. They have to get the user name, password and the root password right before they can do anything. If you allow root access, they only need the root password. Guessing one is easier than guessing three. Dale :-) :-)
Re: [gentoo-user] Disable remote login for certain user
On Samstag 17 Januar 2009, Grant wrote: an ssh config setting, in shorewall, or somewhere else? You can: 1) use pam as described by Mike or 2) use sshd_config AllowUsers Thanks a lot, I went with 'AllowUsers root' in sshd_config since sshd is the only service running on the system. I really would not do that. Instead create a user to log in and su to root. Root should not be allowed to log in - way to risky. Is the idea to put 2 passwords in the way of gaining root access? one key+username and one password. The problem is twice as many passwords to memorize. Even if the 2 passwords are the same, I suppose they would have to come up with the username too which is a (thin) extra layer. just use pubkey for ssh. It is much saver anyway.
Re: [gentoo-user] Disable remote login for certain user
On Sat, 17 Jan 2009 10:50:31 -0800 Grant emailgr...@gmail.com wrote: Can anyone tell me how to find out which users on a system have a login shell (e.g. not /bin/nologin)? echo 'Unavailable user accounts:'; for usr in `cat /etc/passwd`; do usr=${usr%%:*}; exit | su $usr /dev/null 21 || echo -n $usr ; done -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature
Re: [gentoo-user] Disable remote login for certain user
On Fri, 16 Jan 2009 21:28:07 -0800 Grant emailgr...@gmail.com wrote: Should I do that via an ssh config setting, in shorewall, or somewhere else? I believe the right way would be to add 'account required pam_access.so' line to /etc/pam.d/system-auth and define login restrictions in /etc/securety/access.conf (it's also quite well documented). That way you'll block ssh/ftp/mail etc logins for that account, which should also be prone to brutforce attacks because of weak password. The catch is, of course, that you should have pam on your system ;) -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature