Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: openSSH - Limiting access to users...

  1. #1
    Join Date
    Oct 2008
    Beans
    27

    openSSH - Limiting access to users...

    I have a sheevaplug with Ubuntu Server 9.04.

    I've managed to set up access via ssh for:

    User1
    User2
    ..
    User5

    I'd like to set up the access rights so that User1 has access to all files and directories via sudo, and User2 through User5 only has access to their own directories and nothing else. The public keys are held in each users .ssh home directory.

    Could you also point me in the direction of a good Samba share thread? I'd like each user to have access via their Linux or Windows PC's to their own server folders.

    Thanks for your assistance.

  2. #2
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Group-level access control

    Can you clarify a little more what you mean by all access for user1?

    For user2 - user5, they already have their own groups. So create a group (e.g. rusers) and add them to it, then put that group in /etc/ssh/sshd_config
    Code:
    Subsystem sftp internal-sftp
    
    Match Group rusers
       ChrootDirectory /home
       AllowTCPForwarding no
       X11Forwarding no
    That will allow only sftp access to only the user's directory.

    Then you'll need to set the permissions for those home directories so that they are owned by root and not writeable by anyone else. They need to be readable by the user, of course, and as you wish they must not be readable by any others, except user1


    drwxr-x--- 4 root user2 4096 2009-10-04 13:10 user2
    drwxr-x--- 4 root user3 4096 2009-10-04 13:10 user3
    drwxr-x--- 4 root user4 4096 2009-10-04 13:10 user4
    drwxr-x--- 4 root user5 4096 2009-10-04 13:10 user5

    Then for any subdirectories make those writeable by the respective users. Add user1 to the groups user2 - user5.


    sudo usermod -G user2,user3,user4,user5 user1

    Was that heading in the direction you wanted?

  3. #3
    Join Date
    Oct 2008
    Beans
    27

    Re: openSSH - Limiting access to users...

    Wow.

    This looks to be exactly what I'm looking for. Sorry about not being more clear. I'm learning more about Linux all the time, but mostly persevering by way of being the "King of Copy & Paste"

    For User1, I just mean having full Admin rights. I want to keep root out of the ssh group.

    You've given me just the advice that I needed. I'll now go and look up just what it is you've told me, but I'm happy to do that.

    Cheers. Lovin' Linux.


    (Oh. If anyone can point me to a thorough Samba thread, I'd greatly appreciate that. I don't really want to ask a million and one questions about that, until I'm well & truly stuck)

  4. #4
    Join Date
    Oct 2008
    Beans
    27

    Re: openSSH - Limiting access to users...

    OK.

    I have set my permissions for each user1 to user5 as directed:

    For instance:

    drwxr-x--- 3 user1 user1 4096 Oct 4 22:30 /home/user1

    I have set up User1 as Admin & set up all users except root as ruser. I have modified the ssd_config file as requested.

    I was getting an error when restarting the ssh server as follows:

    "/etc/ssh/sshd_config line 87: Directive 'UsePAM' is not allowed within a Match block"

    I tried each option yes or no and in the end placed UserPAM=no above your supplied code, restarted and the message no longer appears.

    I ran the command "usermod..." as requested.

    I have restarted the server, however, I can no longer access the server via puTTy (windows xp) with the users2 through5. user1 logs in fine. It stops at authentication and the log shows this error:

    "/bin/bash: No such file or directory"

    I can login via Root and user1, so I'm guessing there's something I haven't done correctly when setting up the Groups admin & rusers. One point to note though and that is that all users and root have to login with a ssh-key, but only root and user1 require a password with the key. Users2 to user5 are using a passwordless key. Perhaps it's this?



    The command groups shows just Root even though I know I have created the admin and rusers groups.

    I created admin with the following command:

    "addgroup --system admin; echo "%admin ALL=(ALL) ALL" >> /etc/sudoers && adduser user1 admin"

    & rusers was created with the "addgroup rusers" & all users were added to rusers group with "adduser userX rusers"

    What do you think I've missed please?

  5. #5
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: openSSH - Limiting access to users...

    Have a look at this this page, it may be of some help.

  6. #6
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Match

    Quote Originally Posted by Badcam View Post
    OK.
    "/etc/ssh/sshd_config line 87: Directive 'UsePAM' is not allowed within a Match block"
    Match can only act upon a subset of sshd_config keywords:
    AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost.

    UsePAM is not one of them. Try putting the Match block at the very end of the config file.

    Which editor do you use? To get to line 87,
    For vi, enter '87G'
    For emacs, 'ESC-g-g87'
    For nano or pico, 'ESC-g87' or 'CTRL-_87'

  7. #7
    Join Date
    Oct 2008
    Beans
    27

    Re: openSSH - Limiting access to users...

    OK. I think I have most of this resolved and hopefully just one issue left and that's the "/bin/bash: No such file or directory" problem when trying to login via puTTy.

    I guess it's because I don't have /bin/bash directories set up in any of the user directories. They're all empty. Should I just create these directories, or is there something else I should be doing in order to get these directories established?

    Thanks.

  8. #8
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Groups

    Quote Originally Posted by Badcam View Post
    OK.
    The command groups shows just Root even though I know I have created the admin and rusers groups.
    The program groups without any options will show the groups the current user is a member of. So if you are logged in as root, then it will show the groups root is a member of.

    Code:
    # show group membership for some users
    groups root;
    groups user1;
    groups user2;
    groups user3;
    groups user4;
    groups user5;
    
    # the same thing, with a fancier bash trick
    groups root user{0,1,2,3,4}

  9. #9
    Join Date
    Oct 2008
    Beans
    27

    Re: openSSH - Limiting access to users...

    Wow, I'm so silly. Thanks.

    I get these results, which I'm happy with:


    root@sheevaplug:/# groups root
    root sshusers
    root@sheevaplug:/# groups user1
    user1 user2 user3 user4 admin sshusers
    root@sheevaplug:/# groups user2
    user2 sshusers (and similar for user3 to user5).

  10. #10
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    SFTP vs Chrooted bash

    Quote Originally Posted by Badcam View Post
    I guess it's because I don't have /bin/bash directories set up in any of the user directories. They're all empty.
    Ok. I had assumed you wanted to use SFTP to work with the files to keep the server side as simple as possible. AFAIK, PuTTY has SFTP support. If not or if it is not nice enough, there is Filezilla.

    Otherwise, you get to populate the chroot directories with the various utilities (e.g. bash, ls, cp, mv, rm, etc) and their dependent libraries.

    ldd will show which libraries are needed. Once you have it working for one user, use tar to copy the set up to the other user accounts.

    Code:
    $ ldd /bin/bash
            linux-vdso.so.1 =>  (0x00007fff24851000)
            libncurses.so.5 => /lib/libncurses.so.5 (0x00007ff7a3131000)
            libdl.so.2 => /lib/libdl.so.2 (0x00007ff7a2f2d000)
            libc.so.6 => /lib/libc.so.6 (0x00007ff7a2bbe000)
            /lib64/ld-linux-x86-64.so.2 (0x00007ff7a3374000)
    $ mkdir /home/user2/lib/
    $ cd /home/user2; ln -s lib lib64
    $ cp /lib/libncurses.so.5 /home/user2/lib/libncurses.so.5
    $ cp /lib/libdl.so.2 /home/user2/lib/libdl.so.2
    $ cp /lib/libc.so.6 /home/user2/lib/libc.so.6
    $ cp /lib64/ld-linux-x86-64.so.2 /home/user2/lib/lib64/ld-linux-x86-64.so.2
    That was for bash. The other programs would follow the same process. I'm sure there must be a convenient script to do that in an automated manner, but didn't find it.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •