When restricting ssh access based on login, can you do a similar config to a firewall setup where it denies everyone by default and then allows only those that are purposefully specified in sshd_config?

ie. (something like this?)

DenyUsers all
AllowUsers bob

I'm configuring this remotely and wanted to make sure I didn't lock myself out ;)

Thanks.

Update: Oh also how would I go about finding a user's UID?

Sorry if these questions are pretty basic. I haven't really explored the multiuser aspects of Linux up til this point?

[ 12 April 2002: Message edited by: Syngin ]

Not sure I understand exactly what you want...

Do you want your firewall to restrict access to the ssh server based on the users login? I.e. so the ssh port won't show when you are port scanned? In that case you can't, the login is not sent until after the tcp connection is initiated and the ssh client and server has negotiated on which encryption to use.

What you can do in the firewall is to only allow a set of IP addresses but then you can only access your host from certain computers.

To find out what UID a certain user has you can check the /etc/passwd file or use the id [user] command. It will print info about what UID the user has as well as info on which groups the user belongs to.

Oh sorry. No, I was just comparing the ssh setup i'd like to how most firewalls are setup.

Ie. deny all by default and then specify after that like which accesses are permitted.

Originally posted by Syngin:
<STRONG>Oh sorry. No, I was just comparing the ssh setup i'd like to how most firewalls are setup.

Ie. deny all by default and then specify after that like which accesses are permitted.</STRONG>

Ok, are you using iptables? I guess what you want is to set the default policy to DROP. This makes packets be dropped unless they are matched by a rule in your firewall script, allowing the packet to pass.

You can allow all packets in state ESTABLISHED and RELATED to pass the fw. This way you can reveive replies from any server you are allowed to connect to by your OUTPUT chain. Let incoming packets in the state NEW only pass the fw if they come from certain allowed IP addresses or IP blocks. (i.e use the -s IP_ADDR[/mask] option to match certaion IP:s or IP blocks)

You can find more info in the man page for iptables and at www.netfilter.org (http://www.netfilter.org)

Hehe ok, forget I mentioned firewalls. Just need to know whether I can have a similar setup in SSH. Comparing it to a firewall setup was just to give people the idea of what I was talking about.

THe question actually has nothing to do with firewalls. :p

:eek: Well, after doing a "skill -HUP brain" I reread your first post and finally understand what you're asking, (I hope) ;) Sorry for the confusion...

Which ssh server do you run? I have openSSH and the man page mentions that you can use AllowUsers or AllowGroups to restrict ssh logins to only listed users or groups. More info is given in the sshd man page (if you use openSSH).

I hope I understood you correctly this time :D