Hello,
I'm trying to secure a debian server which is accessible via its openssh-server connection. But I would like to avoid user to use this server it to connect to other linux server via the ssh client installed on it.
The problem is that openssh-client is part of opensssh-server depency. Is there an elegant way to forbid user to use ssh command (apart from chmod 750 ssh), or deny tcp 22 output with iptables ?
Thank you
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
forbid openssh-client
Re: forbid openssh-client
Try renaming /etc/ssh/ssh_config (client configuration file) to ssh_config.old, then test using ssh client and see if it fails.
-
- Posts: 2
- Joined: 2018-02-22 17:23
- None1975
- df -h | participant
- Posts: 1410
- Joined: 2015-11-29 18:23
- Location: Russia, Kaliningrad
- Has thanked: 46 times
- Been thanked: 70 times
Re: forbid openssh-client
Hello. Is standard Linux ACL permission-based security not sufficient? Ok, check this.Debian_usr wrote:Hello,
I'm trying to secure a debian server which is accessible via its openssh-server connection. But I would like to avoid user to use this server it to connect to other linux server via the ssh client installed on it.
The problem is that openssh-client is part of opensssh-server depency. Is there an elegant way to forbid user to use ssh command (apart from chmod 750 ssh), or deny tcp 22 output with iptables ?
Thank you
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github
Debian Wiki | DontBreakDebian, My config files on github
Re: forbid openssh-client
The openssh client is located at /usr/bin/ssh.
You could rename it to ssh.old.
Rename it back when you need it.
Or use a script that renames it (to disable it) and another to rename it back.
You could rename it to ssh.old.
Rename it back when you need it.
Or use a script that renames it (to disable it) and another to rename it back.