Diary and notebook of whatever tech problems are irritating me at the moment.

20091225

Restricting SSH logins to specific groups on Ubuntu

On Ubuntu I have a user account "administrator" which is in the admin group. It has a complicated password for security. OpenSSH by default allows all users to attempt to login remotely. Since user accounts often have weak passwords it's unsafe to allow this. I could use ssh-keygen to create keys instead but the systems I support are not in the same physical locations so an ad-hoc arrangement is easier as I can't predict what I'll be connecting with. To set up this restriction all I needed to do was edit /etc/ssh/sshd_config (see the man page for the file) and add "AllowGroups admin". Then I had sshd reload the config with "/etc/init.d/ssh reload". After that only members of the admin group could log in and all others receive generic "Permission denied, please try again." messages. It supports blocking or allowing by user and hosts also.

No comments:

About Me

Omnifarious Implementer = I do just about everything. With my usual occupations this means anything an electrical engineer does not feel like doing including PCB design, electronic troubleshooting and repair, part sourcing, inventory control, enclosure machining, label design, PC support, network administration, plant maintenance, janitorial, etc. Non-occupational includes residential plumbing, heating, electrical, farming, automotive and small engine repair. There is plenty more but you get the idea.