Feature request: AlwaysDenyLogin, LoginDelayTime

Jim Knoble jmknoble at pobox.com
Thu Dec 11 10:40:54 EST 2008

Circa 2008-12-09 18:26 dixit Richard Stoughton:

: Please consider adding the following features to sshd:
: 1. AlwaysDenyLogin - a setting that will result in always denying
: login regardless of the credentials given by the client.

This capabality is already available, via several different methods:

    (a) Use the 'AllowGroups' keyword in your sshd_config file, together
        with a group containing no members.  For example, on a system
        which has useradd/groupadd:

            /usr/sbin/groupadd -g 2222 allowssh
            cd /etc/ssh
            cp -p sshd_config sshd_config.BACKUP
            echo 'AllowGroups allowssh' >>sshd_config

        (Of course, this method is even more useful if the 'allowssh'
        group actually contains members who should be allowed to log in
        via ssh...).

    (b) If your OpenSSH is configured with support for TCP wrappers, use
        /etc/hosts.allow and/or /etc/hosts.deny to configure what source
        IP addresses may use the ssh service.  For example:

            cd /etc
            test -f hosts.allow && cp -p hosts.allow hosts.allow.BACKUP
            cat >>hosts.allow <'EOF'
            sshd: ALLOW
            sshd: ALL: DENY

        The above will only allow use of the ssh service from the local
        host.  (Of course, this method is even more useful if you
        specify remote hosts which are allowed to connect to the ssh

        A similar configuration can be achieved using firewall rules.

    (c) If there is an ssh service where no user should be allowed to
        log in, then consider turning off the service.

If your goal isn't to deny all forms of login, but to restrict users to
the use of specific commands (such as scp or sftp), then you need a
different solution.  Consider using a restricted shell such as rssh
<http://rssh.sourceforge.net/> or scponly
<http://www.sublimation.org/scponly/>.  Some notes about rssh are

Alternatively, consider restricting authentication methods to
PubkeyAuthentication and restricting available commands in users'
.ssh/authorized_keys file.

If your goal is something else (for example, only allowing
portforwarding), you might try to be more specific.

: 2. LoginDelayTime - to specify a delay in milliseconds before the
: server responds to a client's login attempt.

This should be done using firewall rules, either at a network gateway or
on the host where the ssh server is running.

: These would help to employ brute force bots.

By 'employ', i am guessing you mean 'reduce risk from'.  

Good luck.

jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|

More information about the openssh-unix-dev mailing list