Does SSH need to enable to let my users use it ?

Or once I add new users, they will be automatically having access to SSH ? If so, any way to prevent this as I don't want to let all my users use SSH.

Please help. I posted about this in a few threads already.

Thank you in advance for those who can help :)

You *can* disallow SSH for specific users, but I don't see why you would want to. Perhaps you actually want to just disallow all shell access (telnet and SSH) for those users? You can do that by setting the shell to /sbin/nologin.

Donovan, if you allow shell access, why would you not want your users to use SSH?

If you want them to have no shell access, then you can toggle this is the control panel (at least on the Raq4) or use the /sbin/nologin method.

If you allow shell access, then why not let your clients use SSH? It much more secure and with good client-side software, ssh can be much more productive. For example SSH inc's client allows multiple windows, file-transfer, and other options without having to login twice.


Please clarify if your goals are no shell access or no ssh access....if you are not using ssh at all, I would reccomend taking it off of your system or at least not running the daemon. There is no need to have more ports open than necessary.

Well, I am thinking of letting my users to have the Telnet or SSH access for an additional fee. So, I just want to enable it for certain users who paid for it.

Actually I don't mean every user on a Raq. I mean the accounts on my Raq. I don't want every of them have Telnet or SSH access.

If I disable Telnet option in their accounts, will it disable SSH access for them as well ?

Originally posted by Donovan
If I disable Telnet option in their accounts, will it disable SSH access for them as well ?

Yes.

If I disable Telnet option in their accounts, will it disable SSH access for them as well ?

Yes.
If you completely knock out shell access with a /sbin/nologin method. You will disable all methods of shell access. This method is how you control whether or not specific users have shell access. This method does not control the method by which a user connects.

No.
If you simply kill the telnet daemon, you can still have SSH connections. Telnet, FTP, and SSH all have their own daemons, so you can control these network protocols separately. To allow SSH only connections, you do not have to modify any user shell settings or other items -- just simply start an SSH daemon and notify your users that SSH required for shell connections.

SSH, Telnet, and Security/FTP
I do not know of a simple way to selectively restrict access to ssh and telnet on a per user level, but then I do not know why you would want to do this anyway. SSH offers a secure method to do what telnet does and with SSH2 offers multi-window sesssions and file transfer possibilities. Many coporates and universities are moving to secure-only connections, using SSH and/or keberized connections. The reason is that packet sniffing for passwords is easy with all of the available software packages dedicated to this task.

My Setup
For security, we pass most of our network protocols through TCP wrappers. Notable exceptions being the web server and SSH. This allows connections to the web server and sshd from any IP. We then use the hosts.allow/hosts.deny files to lock down other network processes that we have not killed off entirely.

Emm ....

What need I do with /sbin/nologin to block the SSH access from users of an account?

At least on the Raq4, all you have to do is toggle the no shell access check box for that user in the Control Panel.

Basically all this does is modify the /etc/passwd file.

Shell access is controlled in the passwd file:
user:x:100:10:User Name:/home/sites/home/users/user:/bin/badsh

The /bin/badsh at the end specifies that the user cannot log into the shell.

If they had shell access, it would point to /bin/bash or whatever shell you use.

So what I need to do to disable SSH access to any account on my box, is to disable the Telnet thing in the control panel. Right ?

Originally posted by Donovan
So what I need to do to disable SSH access to any account on my box, is to disable the Telnet thing in the control panel. Right ?

Correct :)

Thanks.

Personally, I dislike to mess with the /etc/ files and luckily in this case, I just need to do it in control panel. :)

By the way, how to close down telnet ?

There are a couple of steps to shutting down telnet:



login to your server as admin, then su to root. Open the file:

/etc/inetd.conf

in either pico or vi.

Look for the line that reads:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
(or something close to that)

Comment out that line by placing a # in front of it.

Restart intetd:

/etc/rc.d/init.d/inet restart


That should do it :).

Cool. I've done it.

Now I would like to know how to use SFTP ?

Originally posted by Donovan

Now I would like to know how to use SFTP ?

Take a look at WinSCP:

http://winscp.vse.cz/eng/

Secure FTP runs over SSH and sends all data from the user to the server in an encrypted format.

What else can SSH do :) ?