List of all users that can connect via SSH

Question

I recently started looking at my auth-logs and surprisingly found bots from china trying to bruteforce their way in this (didnt try hard). I went all about changing numerous things that bots would never check, and made harder to bruteforce.

My question is:

I am trying to find a list of all users that can log in to my server via SSH. I know that /etc/passwd has a list of all users, but I don't know if any of them (except for 1) can be logged in.

My goal is to only have 1 user that can be logged in, and having that user have a real strong password.

Please clear one thing that You want to know the list of all peoples who are connected to you via SSH.right? — Freak, Apr 04 '13 at 03:52
Why not just deny an IP after X failed login attempts? That seems easier to me. — Hunter McMillen, Apr 04 '13 at 03:52
This is more of a sysadmin question than programming, and probably should be migrated to serverfault.com. — Barmar, Apr 04 '13 at 03:54
To the third comment, ya sry bout that, thanks for future reference :) — tommydrum, Apr 04 '13 at 19:14
And to the second comment, because real hackers and bots would just switch IP's or hosts and continue with same brute force results. — tommydrum, Apr 04 '13 at 19:16
And I would rather cut down on the log output, so I changed the port already, but next I will set up a private key, and put it on my flash drive :P — tommydrum, Apr 04 '13 at 19:17
hrm... is a moderator going to move this to serverfault.com? Please? (newb mistake back then) — tommydrum, Apr 22 '14 at 16:51

score 40 · Accepted Answer · answered Apr 04 '13 at 09:16

40

Read man sshd_config for more details, but you can use the AllowUsers directive in /etc/ssh/sshd_config to limit the set of users who can login.

e.g.

AllowUsers boris

would mean that only the boris user could login via ssh.

answered Apr 04 '13 at 09:16

dave4420

46,404
6
118
152

5

Correct me if I'm wrong, but without the `AllowUsers` directive, there are no restrictions on which users can log in via ssh.? – matty Feb 29 '16 at 16:57
Don't forget to restart ssh service after changing the config: `sudo service ssh restart` – Klesun Apr 20 '18 at 11:50

score 28 · Answer 2 · answered Apr 04 '13 at 04:55

Any user with a valid shell in /etc/passwd can potentially login. If you want to improve security, set up SSH with public-key authentication (there is lots of info on the web on doing this), install a public key in one user's ~/.ssh/authorized_keys file, and disable password-based authentication. This will prevent anybody except that one user from logging in, and will require that the user have in their possession the matching private key. Make sure the private key has a decent passphrase.

To prevent bots from trying to get in, run SSH on a port other than 22 (i.e. 3456). This doesn't improve security but prevents script-kiddies and bots from cluttering up your logs with failed attempts.

score 7 · Answer 3 · answered Apr 04 '13 at 03:54

7

Any user whose login shell setting in /etc/passwd is an interactive shell can login. I don't think there's a totally reliable way to tell if a program is an interactive shell; checking whether it's in /etc/shells is probably as good as you can get.

Other users can also login, but the program they run should not allow them to get much access to the system. And users that aren't allowed to login at all should have /etc/false as their shell -- this will just log them out immediately.

answered Apr 04 '13 at 03:54

Barmar

741,623
53
500
612

3

Users with an invalid password aren't able to login as well. (It was `*` or `!` in `/etc/shadow`, don't remember which one...) – glglgl Apr 04 '13 at 06:37
@glglgl This was my fix; '*' was for system accounts, and '!' was for accounts that I created. User Accounts that could log in had the '!' replaced with some kind of hash in `/etc/shadow` – wruckie May 21 '18 at 16:56

List of all users that can connect via SSH

3 Answers3