Hi,

Is there any way to disable SSH for all users except for root?

I am starting to sell resellers accounts and do not want anyone to have SSH access - except me of course!

Thanks.

Several different ways to do this.

1. You can, and should, disable password authentication for ssh. Use RSA or DSA and don't install the public key on the server for the clients.

2. Use some type of firewall to block port 22 except for your IP.

3. Change their shell to /bin/false or equivalent.

I am sure there are other ways too. These just come to mind.

Thanks for that.

I cant allow port 22 to only allow one IP as I dont have a static IP.

How do I go about setting the shell access to /bin/false? And will this limit what the user can do via there shell access?

I guess what I am really looking for is if a user is given SSH access then they can only see there own directories instead of being able to move around the server.

Originally posted by SuperDon
How do I go about setting the shell access to /bin/false? And will this limit what the user can do via there shell access?

chsh -s /bin/false user
man chsh

Yes, it will affect their shell, because they won't have one. :) It will, however, allow them to still have ftp access as long as /bin/false is in /etc/shells.

I guess what I am really looking for is if a user is given SSH access then they can only see there own directories instead of being able to move around the server.

This is an entirely different question. I think I read somewhere there was a facility built into some versions of ssh to do this. Also, chroot comes to mind, but as always there are side effects to be considered.

Yikes, I would NEVER just allow SSH from one IP. What happens when it changes?

I was given this advice by pwebtech. Any thoughts?

"You should be able to restrict access by editing the /etc/group file. If you've got restrictions set up in /etc/group, chowning customer directories to individual customers' usernames and changing the permissions on any sensitive system areas so that only the system or root can do anything with them should give you the necessary protection."

And what exactly must I do to the group file?

Originally posted by driverdave
Yikes, I would NEVER just allow SSH from one IP. What happens when it changes?

Obviously... if you have a dynamic IP.

Even with a static IP I would recommend at bare minimum of 2 IP's allowed in.

If your running FreeBSD you can edit the login.access file so to only allow certain groups and deny the rest.

running redhat 7.1

For your purposes, I would recommend just changing everyone else's shell to /bin/false. This doesn't affect the SSH daemon at all and minimizes the risk of breaking anything. :D They just simply won't be allowed to login.