Allowing only certain users to ssh

macidiot · #1 July 28th, 2004, 10:45 PM

I recently added a user account for a friend so that he could host a small website on my server. I want him to have ftp access, but no ssh access. I have been searching on the web for about an hour or so, and I think my answer lies in adding a "allowuser" command in the ssh_config file, but I can't seem to find a whole lot of info on how to use it.

What do I need to do to only allow ssh access to two users (and not him)?

Thanks,
Macidiot

michaelsanford · #2 July 29th, 2004, 12:10 AM

The simplest way to accomplish this is to give him no shell (or more specifically, a null shell).

1. Open /Applications/Utilities/NetInfo Manager;
2. Select /Users/him in the three panes;
3. Click the lock, if locked, so you can make changes;
4. Change the value of "shell" to "/usr/bin/false";
5. Hit APPLE-S to save changes, saying yes to any messages about updating local domains, etc. Then under the Management menu, choose Restart Local NetInfo Domains for the changes to take effect;

This next step is important if you want your user still to have FTP access:
In a terminal window type cat /etc/shells and check to see if /usr/bin/false is listed. As you can see from the comment at the top of that file, if the shell is not listed there then the user won't be allowed to log in over FTP.

If it's not listed, add it by typing sudo pico /etc/shells scroll down to the end of the list and type it in. Type CTRL-X to quit, pressing "y" to save, hitting ENTER to use the original file name.

Since FTPd is called from xinetd on OS X only when someone tries to connect, you won't need to restart it since FTPd doesn't run all the time.

PS While in NetInfo Manager you can also move his home directory, if it would be useful to do so to, say, another partition.

scruffy · #3 July 29th, 2004, 04:49 PM

check the sshd_config manpage.

You're right that that's what you want, the AllowUsers directive. Basically, all you do is put a line in /etc/sshd_config like

AllowUsers somebody somebodyelse

any user whose username is not somebody or somebodyelse will then be disallowed from connecting to ssh

macavenger · #4 July 29th, 2004, 05:44 PM

Would there, by any chance, be a coresponding DenyUsers directive, if you have more people you want to allow than deny? Just curious.

pedz · #5 July 29th, 2004, 06:29 PM

There is AllowUsers AllowGroups DenyUsers and DenyGroups. There are patterns.

Do sshd_config to google and pick the one that says sshd_config(5)

I wonder why Mac OS X doesn't have those man page.

macidiot · #6 July 29th, 2004, 08:41 PM

Do I need to restart to make this active, or is there another way? I added denyusers, but it still lets the account log in via ssh

scruffy · #7 July 29th, 2004, 09:26 PM

on OS X the ssh server doesn't listen as a daemon, it is activated by xinetd for each new connection - what that means is, once you change the config file, it will be read from scratch for every new connection - no need to restart anything

legacyb4 · #8 July 30th, 2004, 01:03 AM

For what it's worth, I prefer the AllowUsers approach instead as you are explicitly allowing a single user (you) and denying all others access.

Kind of like telling a bouncer to keep everyone out except for me rather than to watch out for that seedy little guy who keeps trying to get in.

Cheers.

Quote:

Originally Posted by macidiot

Do I need to restart to make this active, or is there another way? I added denyusers, but it still lets the account log in via ssh