4

I want to "block/restrict" one of the accounts on my dedicated server, but I want user to allow to log in, then i want the message to pop up for him (for example in putty) and then close connection (so the putty window will be up and he can read it, but he can't do/type anything in console).

I remember that in the old days i was doing something like that on freebsd, but kinda can't find any useful informations about how to approach this problem.

Any help?

Eska
  • 495
  • 2
  • 11

2 Answers2

4

1. Edit /etc/ssh/sshd_config and add these directives at the bottom:

Match User guest
    Banner /etc/ssh/banner_guest
    DenyUsers guest
Match all
  • Change guest with the actual username.

2. Create the banner file: sudo nano /etc/ssh/banner_guest, and type your message inside, for example:

+------------------+
| Get out of here! |
+------------------+

3. Restart the SSH server:

sudo systemctl restart ssh.service

The result would be:

enter image description here

enter image description here

EDIT:

Please note regardless in the above example PubkeyAuthentication is available and there is a valid /home/guest/.ssh/authorized_keys file the user will get Permission denied (publickey).

If PasswordAuthentication is available the user will be asked few times for their password and in the end will get Permission denied (password). So if you want to further tease him (or her), change the above directives in this way:

Match User guest
    PasswordAuthentication yes
    PubkeyAuthentication no
    MaxAuthTries 20
    Banner /etc/ssh/banner_guest
    DenyUsers guest
Match all

For me the cleanest way is just show the message and kick them:

Match User guest
    PasswordAuthentication no
    PubkeyAuthentication no
    MaxAuthTries 1
    Banner /etc/ssh/banner_guest
    DenyUsers guest
Match all

The result of the above will be identical as the result of the first suggestion but the message Permission denied (publickey) (Server refused our key) will not appear.

pa4080
  • 29,831
1

I guess you are referring to /usr/sbin/nologin shell.

It is much simpler than the other answer implementing something like this more complex way. Just add:

Match User guest
  ForceCommand /usr/sbin/nologin

And the user will get the message:

This account is currently not available.

(or other configured in /etc/nologin.txt)

pa4080
  • 29,831
Jakuje
  • 6,605
  • 7
  • 30
  • 37
  • Hello Jakuje, please add Match all to be the answer completed. This directive is needed in a case when the section Match User is not into the end of the configuration file. – pa4080 Apr 17 '17 at 19:23
  • Yes. In rare cases you can add Match all, but in general cases, it is a good practice to write all Match blocks to the end of the file. It is a know feature described in the manual pages and in many other questions around there, but it is not part of this question so I don't think it should be written in every config snippet here. But thank you for the suggestion. – Jakuje Apr 17 '17 at 19:26
  • Yes, I've got it! But this explanation is a part of the answer that is missing. The main disadvantage here is that, when PuTTY (mentioned in the question) is used with its default settings, its windows will be closed immediately and the message could not be read. – pa4080 Apr 17 '17 at 21:07
  • Whatever, for the record, another interesting option is the combination of the directives: Banner ... and ForceCommand /usr/lib/openssh/sftp-server. In this way users won't be able to login via SSH but they will be able to use SFTP, and also, they will receive the message. – pa4080 Apr 17 '17 at 21:07
  • @SpasSpasov 1) Banner is showed always regardless the authentication is successful or not. 2) Setting sftp server will allow a SFTP access as a "side effect", which is certainly not intentional, isn't it? It is very sad that PuTTY handles it in this way, but always you can add some prompt/read/sleep after the nologin command, if you want to make PuTTY show the message to you. – Jakuje Apr 17 '17 at 21:15
  • On the contrary, Match directives need to go to the top of the sshd_config – Even the sshd_config man page clearly says: "Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end." – Martin Prikryl Aug 25 '19 at 07:32