Ssh – How to disable login for an user

linuxSecuritysshusers

My Linux has many not-human users like cron, ntp, daemon, http, etc. I want to disable anybody to login as any of this users. Real people on my machine are root and me, so only root and me should be able to login.

For not-human users in the /etc/passwd file /bin/false defined as shell, but I have read it doesn't protect for login via SSH, for example.

passwd -l doesn't protect for login via SSH too (as the man says).

Is there solution at all?

Best Answer

System accounts should already be locked, by setting their password hash to an invalid one (I see x and ! in my /etc/shadow). The only ways to get into their accounts without a password (as far as I know) are ssh with keypair auth (impossible unless someone with write permissions in their home directory put a public key in their ~/.ssh/authorized_keys), you can use Alex's AllowUsers configuration to prevent that remote possibility; and using su as root to get a shell as them. This possibility is impossible to prevent if anyone has access to root power. But if they do have root permissions, suing to a daemon account is the last thing you need to worry about.

Related Solutions

Shell – Wrong root shell in /etc/passwd

Even though these appliance type products are based on Linux it's generally a good idea not to try and customize them as though they're Linux boxes. They typically are missing most of the tools and are usually stripped down in various ways which can make this dangerous.

I've had experience with both Netgear's ReadyNAS box as well as the Thecus boxes and this has always been the case with both these types of products. You might want to consider doing a factory restore to get this back normal instead of hacking it your self.

You'll have to reconfigure the box but this is usually just setting the IP back up and potentially some user account creation.

I direct you to the actual pages from Synology that cover how to accomplish this:

Shell – Passwordless SSH for “System User” with NO Login Shell

Set the crypt field to * or to !! in /etc/shadow

# adduser tst  
# passwd -l tst
Locking password for user tst.
passwd: Success
# grep tst /etc/passwd
tst:x:1000:1000::/home/tst:/bin/bash
# grep tst /etc/shadow
tst:!!:17030:0:99999:7:::

At this point the user can not login because there's no valid password.

Now add a command="/thing/to/do" to the beginning of the public key in the authorized_keys file

# ls -l $PWD/authorized_keys 
-rw-r--r-- 1 tst tst 431 Aug 17 17:54 /home/tst/.ssh/authorized_keys

# cat $PWD/authorized_keys
command="/bin/echo hello" ssh-rsa AAAAB3NzaC1yc2E....etcetc

Now this key can be used, but the only thing it can be used for is that forced command:

$ ssh -i ~/.ssh/id_rsa tst@test1
hello
Connection to test1 closed.

If you try to do anything else it'll fail, and still force the same command

$ ssh -i ~/.ssh/id_rsa tst@test1 reboot 
hello
$

Best Answer

Related Solutions

Shell – Wrong root shell in /etc/passwd

Shell – Passwordless SSH for “System User” with NO Login Shell

Related Question