How do I disable any kinds of remote control (SSH, X, NFS, SMB, ... what else?)
for a certain user?

Or, asked the other way round: How do I disable remote control
for all users except a certain one?

Is there a way to do it in one place?
(By placing the user in a certain group, or so)

6 Answers6

  • SSH uses usernames & passwords for authentication/authorization.
  • The NFS server uses IP addresses for mounting authentication/authorization and the user id when individual files are used (the regular Unix permissions are used). Also it can use other methods, like Kerberos. Anyway the idea is that mounting authorization is done per machine, not per user.
  • Samba uses usernames & passwords for mounting most of the time (security = user) and I think that CIFS also supports using UIDs when accessing individual files just like NFS. The usernames & passwords are usually stored in a file called passdb.tdb, not in /etc/shadow, so passwd doesn't change the password of a Samba user.
  • X uses IP addresses for authentication/authorization or cookies.

As you can see, there's no easy way to enable/disable access to these services for a specific user.

LE: A couple of network services including RPC (used by NFS) and SSH, use the hosts_access mechanism (man hosts_access) for host based authentication/authorization. You'll need to edit /etc/hosts.allow and /etc/hosts.deny for this. Compared to iptables, the advantage is that you don't need to know the ports of the services, but not all services support this mechanism. Paranoid people would use both :-)

LE2: hosts_access supports usernames too, but AFAIK this is insecure.

Cristian Ciupitu
  • 6,226
  • 2
  • 41
  • 55

I'm not sure about SMB and NFS as I never use them. On my servers SSH is the only service available for remote access and I can limit their access with the AllowUser directive in sshd_config. With the latest versions of OpenSSH there is an internal sftp client (no external dependencies) which can be configured. This makes it relatively easy to set up a user with sftp access to a chroot'ed directory only--as when they need to update web content, etc.

Subsystem sftp internal-sftp

MatchUser Joe
  ForceCommand internal-sftp
  ChrootDirectory /var/www

the chroot dir and all above it must be:
* owned by root
* not group or other writable 
Devin Ceartas
  • 1,458
  • 9
  • 12

You want to look into PAM: http://www.kernel.org/pub/linux/libs/pam/


  • 4,827
  • 4
  • 22
  • 31

You can easily disable a user account with this command:

passwod <username> -l

And re-enable it with:

passwod <username> -u

Whether or not this is completely effective at blocking the user's access depends on what services you have running. But they will certainly be prevented from logging in.

Rob H
  • 579
  • 1
  • 5
  • 15

A restrictive IPTABLES firewall with default DROP would work rather effectively (don't forget to keep a hole for yourself and local host). ;-) Manually add the static IP of the "allowable" host(s) on a port by port basis. No IP provided no service. Note: This will not prevent tunnels to allowed ports for a allowed host. Also, as Cristian Ciuputu mentioned (up vote... ;-), samba has a "hosts allow" section, NFS has a range you export to, X forwarding can be disabled, and ssh can be blocked or denied.

  • 391
  • 1
  • 8

I can't add a comment so ... what is the OP actually trying to do, stop a user from accessing clients with remote capabilities? Turn off all internet access? Are you realy wanting to prevent incoming access to ports used for remote access [sudo ufw enable does that as the default is to drop all incoming requests]??

Removing the execute and/or read bits on the client binaries for, eg, ssh will prevent a user from accessing it [sudo chmod o-rwx /usr/bin/ssh will stop anyone but owner (root) and group (root) using it assuming they don't have permission to use it via sudo] - however they could just install a new client if you leave them with install rights.

Is this a multi-user machine. If it's serial multiple users (rather than parallel) then you could have a firewall script run on login for non-priveleged users and disable various traffic. But then your user can tunnel traffic over non-traditional ports.

You can bypass any of these by loading a separate OS from a pendrive or DVD and then enable access to the computer. Which brings us back to the ultimate question of "what are you actually trying to achieve?".

  • 109
  • 3