Feature request: AlwaysDenyLogin, LoginDelayTime
Jim Knoble
jmknoble at pobox.com
Thu Dec 11 10:40:54 EST 2008
Circa 2008-12-09 18:26 dixit Richard Stoughton:
: Please consider adding the following features to sshd:
:
: 1. AlwaysDenyLogin - a setting that will result in always denying
: login regardless of the credentials given by the client.
This capabality is already available, via several different methods:
(a) Use the 'AllowGroups' keyword in your sshd_config file, together
with a group containing no members. For example, on a system
which has useradd/groupadd:
su
/usr/sbin/groupadd -g 2222 allowssh
cd /etc/ssh
cp -p sshd_config sshd_config.BACKUP
echo 'AllowGroups allowssh' >>sshd_config
(Of course, this method is even more useful if the 'allowssh'
group actually contains members who should be allowed to log in
via ssh...).
(b) If your OpenSSH is configured with support for TCP wrappers, use
/etc/hosts.allow and/or /etc/hosts.deny to configure what source
IP addresses may use the ssh service. For example:
su
cd /etc
test -f hosts.allow && cp -p hosts.allow hosts.allow.BACKUP
cat >>hosts.allow <'EOF'
sshd: 127.0.0.1: ALLOW
sshd: ALL: DENY
EOF
The above will only allow use of the ssh service from the local
host. (Of course, this method is even more useful if you
specify remote hosts which are allowed to connect to the ssh
service).
A similar configuration can be achieved using firewall rules.
(c) If there is an ssh service where no user should be allowed to
log in, then consider turning off the service.
If your goal isn't to deny all forms of login, but to restrict users to
the use of specific commands (such as scp or sftp), then you need a
different solution. Consider using a restricted shell such as rssh
<http://rssh.sourceforge.net/> or scponly
<http://www.sublimation.org/scponly/>. Some notes about rssh are
available
<http://episteme.arstechnica.com/groupee/forums/a/tpc/f/96509133/m/249003048731/r/478002248731>.
Alternatively, consider restricting authentication methods to
PubkeyAuthentication and restricting available commands in users'
.ssh/authorized_keys file.
If your goal is something else (for example, only allowing
portforwarding), you might try to be more specific.
: 2. LoginDelayTime - to specify a delay in milliseconds before the
: server responds to a client's login attempt.
This should be done using firewall rules, either at a network gateway or
on the host where the ssh server is running.
: These would help to employ brute force bots.
By 'employ', i am guessing you mean 'reduce risk from'.
Good luck.
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing. --Aldous Huxley|
+----------------------------------------------------------------------+
More information about the openssh-unix-dev
mailing list