# Allowing only certain users to ssh



## macidiot (Jul 28, 2004)

I recently added a user account for a friend so that he could host a small website on my server.  I want him to have ftp access, but no ssh access.  I have been searching on the web for about an hour or so, and I think my answer lies in adding a "allowuser" command in the ssh_config file, but I can't seem to find a whole lot of info on how to use it.

What do I need to do to only allow ssh access to two users (and not him)?

Thanks,
Macidiot


----------



## michaelsanford (Jul 28, 2004)

The simplest way to accomplish this is to give him no shell (or more specifically, a null shell).

1. Open /Applications/Utilities/NetInfo Manager;
2. Select /Users/him in the three panes;
3. Click the lock, if locked, so you can make changes;
4. Change the value of "shell" to "/usr/bin/false";
5. Hit APPLE-S to save changes, saying yes to any messages about updating local domains, etc. Then under the Management menu, choose Restart Local NetInfo Domains for the changes to take effect;

This next step is important if you want your user still to have FTP access:
In a terminal window type *cat /etc/shells* and check to see if /usr/bin/false is listed. As you can see from the comment at the top of that file, if the shell is not listed there then the user won't be allowed to log in over FTP.

If it's not listed, add it by typing *sudo pico /etc/shells* scroll down to the end of the list and type it in. Type CTRL-X to quit, pressing "y" to save, hitting ENTER to use the original file name.

Since FTPd is called from xinetd on OS X only when someone tries to connect, you won't need to restart it since FTPd doesn't run all the time.

PS While in NetInfo Manager you can also move his home directory, if it would be useful to do so to, say, another partition.


----------



## scruffy (Jul 29, 2004)

check the sshd_config manpage.

You're right that that's what you want, the AllowUsers directive.  Basically, all you do is put a line in /etc/sshd_config like

AllowUsers somebody somebodyelse

any user whose username is not somebody or somebodyelse will then be disallowed from connecting to ssh


----------



## macavenger (Jul 29, 2004)

Would there, by any chance, be a coresponding DenyUsers directive, if you have more people you want to allow than deny? Just curious.


----------



## pedz (Jul 29, 2004)

There is AllowUsers AllowGroups DenyUsers and DenyGroups.  There are patterns.

Do sshd_config to google and pick the one that says sshd_config(5)

I wonder why Mac OS X doesn't have those man page.


----------



## macidiot (Jul 29, 2004)

Do I need to restart to make this active, or is there another way?  I added denyusers, but it still lets the account log in via ssh


----------



## scruffy (Jul 29, 2004)

on OS X the ssh server doesn't listen as a daemon, it is activated by xinetd for each new connection - what that means is, once you change the config file, it will be read from scratch for every new connection - no need to restart anything


----------



## legacyb4 (Jul 30, 2004)

For what it's worth, I prefer the AllowUsers approach instead as you are explicitly allowing a single user (you) and denying all others access.

Kind of like telling a bouncer to keep everyone out except for me rather than to watch out for that seedy little guy who keeps trying to get in.

Cheers.



			
				macidiot said:
			
		

> Do I need to restart to make this active, or is there another way?  I added denyusers, but it still lets the account log in via ssh


----------



## scruffy (Jul 30, 2004)

I suspect capitalization is important - denyusers is not the same as DenyUsers


----------



## pedz (Jul 30, 2004)

The source code has "denyusers" in all lower case so my *guess* is that there is a conversion to all lowercase before the compare.


----------



## macidiot (Aug 1, 2004)

I've tried all the suggestions, allowusers with the usernames I would like to allow, and denyusers with just his. I've tried upper and lower case, but I can still ssh with that account.  Is the format: "AllowUsers username1 username2" or am I missing something?


----------



## macidiot (Aug 1, 2004)

michaelsanford said:
			
		

> The simplest way to accomplish this is to give him no shell (or more specifically, a null shell).



This did it for me, however it kills FTP, even though I did the second half of the instructions about adding /usr/bin/false to shells...


----------



## TommyWillB (Aug 1, 2004)

This is a very good thread!

 Someone should clean it up and make it a HOWTO thread...


----------

