Provide mechanism to limit ssh login in Debian Edu?

To: debian-edu@lists.debian.org
Subject: Provide mechanism to limit ssh login in Debian Edu?
From: Petter Reinholdtsen <pere@hungry.com>
Date: Sat, 22 Nov 2014 10:37:19 +0100
Message-id: <[🔎] 2flwq6nh8z4.fsf@diskless.uio.no>

One request that come up from time to time, is to provide a way in
Debian Edu to limit who can log into ssh, either for the main server or
from outside the school.

One way to do this is to create a new group (say 'sshusers') and list it
in /etc/ssh/sshd_config like this:

  AllowGroups sshusers

This way only members of the sshusers group will be allowed to ssh into
the machine with such setup.

An alternative is to switch the logic around, and create a new group
(say 'nosshlogin') and update /etc/ssh/sshd_config like this:

  DenyGroups nosshlogin

This will block members of the group from login in via ssh.

One challenge is that LTSP uses SSH to log in users when using LDM, so
if ssh login on the LTSP server is blocked like this, the user will not
be able to log in on LTSP clients either.  One way around that might be
to allow everyone on the school network to log in, but only members of a
group (say 'remotesshlogin') access via ssh from outside the school.

What do the rest of you think about such idea?  Something for the
version after Jessie?  Perhaps something to document in the manual for
Jessie?  If so, which recipe should we recommend?

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: Provide mechanism to limit ssh login in Debian Edu?
  - From: Jürgen Leibner <2010jl@gmx.de>

Prev by Date: Re: Content and translation status for the debian-edu-jessie manual
Next by Date: Re: Provide mechanism to limit ssh login in Debian Edu?
Previous by thread: Processed: Bug#770312 marked as pending
Next by thread: Re: Provide mechanism to limit ssh login in Debian Edu?
Index(es):
- Date
- Thread