Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: SSH block commands

  1. #1
    Join Date
    Dec 2012
    Beans
    26

    Cool SSH block commands

    Hi everyone,
    I just downloaded ubuntu server edition (LTS) yesterday as my first pure linux operating system and I'm having trouble with a blatant security problem in SSH. When I connect to the server from terminal on my mac everything works perfectly, only it's too perfect. My problem is with the fact that SSH allows me to switch to the root user on the server even though I blocked it in the SSHD_config file already. If anyone knows how to block the SU command or just stop SSH users from switching accounts that'd be great.

    Thanks in advance

  2. #2
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    7,899

    Re: SSH block commands

    Hmm, maybe because it is the sshd_config file? Case is important.

  3. #3
    Join Date
    Apr 2011
    Location
    Maryland
    Beans
    1,461
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: SSH block commands

    I might be wrong about this, but I think you can't do what you want with an SSH configuration. I think the ssh config will just allow or disallow users from logging in. Once they're logged in, you'll need to limit their activities just as you would on any Linux system (group permissions, sudoers, etc.). You can disable root from logging in to your ssh server directly. However, once an admin user is logged in, ssh can't stop that user from su.

  4. #4
    Join Date
    May 2010
    Location
    Tewkesbury uk
    Beans
    7,625
    Distro
    Ubuntu Development Release

    Re: SSH block commands

    Hi

    Only allow users with limited power to login.

    Look at the AllowUsers section in the ssh_config file.

    Kind regards
    Join us on irc at #ubuntuforums. For web chat see here

    If you believe everything you read, you better not read. ~ Japanese Proverb

    Do not read newspapers on an empty stomach ~ Russian Proverb ~ BrunoLotse

  5. #5
    Join Date
    Dec 2012
    Beans
    26

    Re: SSH block commands

    Hi everyone thanks for replying so quickly,
    My allow users is already set to two specified users seperated by spaces and I have disabled root login already. If it can't be done from ssh config how would I block to the user from switching accounts? The sudo command was already disabled by default but that doesn't seem to be helping anything
    Thanks

  6. #6
    Join Date
    Nov 2008
    Location
    BSAA Headquarters
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: SSH block commands

    Quote Originally Posted by bellygrevios View Post
    Hi everyone thanks for replying so quickly,
    My allow users is already set to two specified users seperated by spaces and I have disabled root login already. If it can't be done from ssh config how would I block to the user from switching accounts? The sudo command was already disabled by default but that doesn't seem to be helping anything
    Thanks
    so, if you type
    Code:
    su
    , it lets you in without a password?

    If that is the case, you have a bigger issue than blocking users from switching accounts.

    If it allows you to type a password,
    try
    Code:
    sudo passwd -dl root
    , logout
    and then, try su again

  7. #7
    Join Date
    May 2006
    Location
    Milwaukee,WI
    Beans
    6,092
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: SSH block commands

    it appears as though you're saying these users who are allowed to log in via ssh are in the sudoers file. if you don't want users to be able to use sudo, you need to remove them from the sudoers file. give them limited capabilties
    Check out my Blog about my life and computer software and hardware. http://ubuntuaddicted.blogspot.com/
    My YouTube channel:
    http://www.youtube.com/ubuntuaddicted

  8. #8
    Join Date
    Dec 2012
    Beans
    26

    Re: SSH block commands

    Quote Originally Posted by sandyd View Post
    so, if you type
    Code:
    su
    , it lets you in without a password?

    If that is the case, you have a bigger issue than blocking users from switching accounts.

    If it allows you to type a password,
    try
    Code:
    sudo passwd -dl root
    , logout
    and then, try su again
    No, if you type in su it still prompts me for the root password or whatever user I enter, but I don't want to give them the option of switching accounts.

  9. #9
    Join Date
    Dec 2012
    Beans
    26

    Re: SSH block commands

    Quote Originally Posted by dannyboy79 View Post
    it appears as though you're saying these users who are allowed to log in via ssh are in the sudoers file. if you don't want users to be able to use sudo, you need to remove them from the sudoers file. give them limited capabilties
    The account is not in the sudoers folder, it currently cannot use sudo but it still has the otion to switch users to an account that is in the sudoers folder such as root or my personal account on the computer

  10. #10
    Join Date
    May 2006
    Location
    Milwaukee,WI
    Beans
    6,092
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: SSH block commands

    Quote Originally Posted by bellygrevios View Post
    The account is not in the sudoers folder, it currently cannot use sudo but it still has the otion to switch users to an account that is in the sudoers folder such as root or my personal account on the computer
    sure they can try to switch accounts but if they dont know the password then it would fail right?

    OR maybe look into pam_wheel

    or does this help? http://www.cyberciti.biz/tips/linux-...to-system.html
    Last edited by dannyboy79; December 10th, 2012 at 09:58 PM.
    Check out my Blog about my life and computer software and hardware. http://ubuntuaddicted.blogspot.com/
    My YouTube channel:
    http://www.youtube.com/ubuntuaddicted

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •