Tuesday, March 22, 2016

How to Restrict ssh Access

How to Restrict SSH Access for User1

  1. Modify /etc/security/access.conf and add the following line at bottom of file
    1. - :User1:ALL EXCEPT server1.example.com server1 server2.example.com LOCAL
  2. Verify these configuration are set in /etc/ssh/sshd_config
    1. UsePAM yes
    2. PasswordAuthentication yes
    3. ChallengeResponseAuthentication no
  3. Verify or modify /etc/ssh/sshd_config and remove tomcat from DenyUsers if listed
    1. DenyUsers UserX UserY UserZ
    2. NOTE: (Only need to modify sshd in pam.d)
    3. Modify /etc/pam.d/login and add this line before account system-auth line
    4. account    required     pam_access.so
  4. Modify /etc/pam.d/sshd and add this line before “account include password-auth”
    1. account    required     pam_access.so
    2. Restart sshd
    3. Service sshd restart
  5. Set temp password for user1
    1.  # passwd user1
  6. Test login from server1 and server2
  7.  Should be able to login with the password.
    1.  a. [user1@server1 ~]$ ssh user1@server2
  8. Test login from some other linux box and this should fail.
    1. [serverX@web]$ ssh user1@server1
    2. Kernel \\r on an \\m
    3. user1@server2 password:
    4. Connection closed by server