Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

forbid openssh-client

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
Debian_usr
Posts: 2
Joined: 2018-02-22 17:23

forbid openssh-client

#1 Post by Debian_usr »

Hello,

I'm trying to secure a debian server which is accessible via its openssh-server connection. But I would like to avoid user to use this server it to connect to other linux server via the ssh client installed on it.
The problem is that openssh-client is part of opensssh-server depency. Is there an elegant way to forbid user to use ssh command (apart from chmod 750 ssh), or deny tcp 22 output with iptables ?

Thank you

TonyT
Posts: 575
Joined: 2006-09-04 11:57

Re: forbid openssh-client

#2 Post by TonyT »

Try renaming /etc/ssh/ssh_config (client configuration file) to ssh_config.old, then test using ssh client and see if it fails.

Debian_usr
Posts: 2
Joined: 2018-02-22 17:23

Re: forbid openssh-client

#3 Post by Debian_usr »

Hello Tony,

Thanks, but not working.

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: forbid openssh-client

#4 Post by None1975 »

Debian_usr wrote:Hello,

I'm trying to secure a debian server which is accessible via its openssh-server connection. But I would like to avoid user to use this server it to connect to other linux server via the ssh client installed on it.
The problem is that openssh-client is part of opensssh-server depency. Is there an elegant way to forbid user to use ssh command (apart from chmod 750 ssh), or deny tcp 22 output with iptables ?

Thank you
Hello. Is standard Linux ACL permission-based security not sufficient? Ok, check this.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

TonyT
Posts: 575
Joined: 2006-09-04 11:57

Re: forbid openssh-client

#5 Post by TonyT »

The openssh client is located at /usr/bin/ssh.
You could rename it to ssh.old.
Rename it back when you need it.
Or use a script that renames it (to disable it) and another to rename it back.

Post Reply