f



Making -some- of the account to accept either SSH and/or logins from all or specified IP range.

Ok, I've known the answer to this in the past, but it has faded from my 
head.  How to modify some (not all) of the accounts under unix/linux 
(RedHat7.2) to accept only SSH/SSH2 logins, and how to make some others 
to accept only Telnet, and then, how to make some accounts to take 
logins from only some specific IP range?

---
Dai

0
daikane (3)
7/4/2003 7:22:31 PM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

2 Replies
649 Views

Similar Articles

[PageSpeed] 10

On Fri, 04 Jul 2003, Markku Sukanen <daikane@messiah.ath.cx> wrote:
> Ok, I've known the answer to this in the past, but it has faded from my 
> head.  How to modify some (not all) of the accounts under unix/linux 
> (RedHat7.2) to accept only SSH/SSH2 logins, and how to make some others 
> to accept only Telnet, and then, how to make some accounts to take 
> logins from only some specific IP range?

I haven't really learned about xinetd yet, but /etc/hosts.allow and
hosts.deny can control access to daemons that pay attention to it (man 5
hosts_access).  The problem for me seems to be ipv6.  I used to be able to
control ssh using hostnames, then only IPs or IP ranges worked, now that
does not work in SuSE 8.2 and I resorted to ALL: UNKNOWN in hosts.deny 
(and keys only for ssh, no passwords allowed).

Since I only let in ssh, smtp and http, telnet is a non-issue and I don't
even have inetd or xinetd running.  Even from Windows I can ssh in with 
Putty.

-- 
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/
0
efflandt (885)
7/5/2003 2:19:30 AM
>>>>> "MS" == Markku Sukanen <daikane@messiah.ath.cx> writes:

    MS> Ok, I've known the answer to this in the past, but it has faded
    MS> from my head.  How to modify some (not all) of the accounts under
    MS> unix/linux (RedHat7.2) to accept only SSH/SSH2 logins, and how to
    MS> make some others to accept only Telnet, and then, how to make some
    MS> accounts to take logins from only some specific IP range?

This question is essentially backwards, because accounts are not active
entities that "accept" anything.  Any process running as root has the
right to create a process running under any other uid and thus "log" that
uid in.  There's no notion of there being a fixed allowed set of entryways
into the system which you can then list conveniently somewhere as being
the ones allowed for a given account.

So, to achive this end, you have to rely on cooperating secondary effects.
For example, you could configure an OpenSSH server to only allow
public-key authentication, and only certain accounts (AllowUsers), then
use per-account presence/absence of ~/.ssh/authorized_keys and the
from=... key option to control whether and from where you can get in.  If
you can then set your Telnet server to *not* allow these accounts to log
in, but allow your other set, then you get the overall effect you want.
You might be able to accomplish that with a combination of PAM and/or
libwrap controls.

-- 
  Richard Silverman
  res@qoxp.net

0
res49 (1410)
7/5/2003 3:41:11 AM
Reply: