When I create a user on Gitlab, it creates a regular user on linux and it can login using a regular SSH protocol with same password an user.
How can I disable the SSH login using SSH to desired users? All my server is exposed to that users.
Thank you
Edit the sshd_config file adding this line
DenyUsers username1 username2 username3 username4
DenyUsers
separated by spaces. Login is disallowed for user names that
match one of the patterns. â*â and â?â can be used as wildcards
in the patterns. Only user names are valid; a numerical user ID
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER#HOST then USER and HOST are
separately checked, restricting logins to particular users from
particular hosts.
Read more: http://linuxpoison.blogspot.com/2008/08/how-to-deny-ssh-access-for-certain-user.html#ixzz3QkT71bsV
In case you need more than just the login, you can now block SSH as a all:
See GitLab 15.1 (June 2022)
Block Git access protocols at group level
To improve security, you can now block Git access protocols that you don’t use at the group level.
This is similar to the GitLab administrator setting, but can now be set per
group.
By default, both HTTP(S) and SSH are enabled.
In your group’s Settings > General > Permissions, scroll to Enable git access protocols and remove any protocols you don’t use.
See Documentation and Issue.
Related
I have a requirement to validate if a given user can login to a machine. I don't know their password, but the script can elevate to root using sudo. All the users are AD accounts using SSSD.
Everything I've found just validates if the user is valid or not, such as using
id -u. Doing sudo -lu doesn't work if the user has never logged in before and only shows their sudo permissions. I've also tried using ldapsearch, but that only queries the AD server to see if they have the correct profiles, but not necessarily on that server.
Create in the Domain a group with the users you want to allow in the machine and use it in the key simple_allow_groups explained below.
In the /etc/sssd/sssd.conf Add/Modify the following keys:
access_provider = simple # This will allow you to control who can log in the computer using the simple_allow_groups.
simple_allow_groups = groupname1, groupname2 # Domain groupnames allow you to limit the log on permission for just the members of the groups in this option.
Edit the sudoers (using visudo) and add:
%groupname1 ALL=(ALL) NOPASSWD: ALL
This will allow the user to run any command. If you want to limit the commands allowed, see the examples in the sudoers file.
We have setup our account policies in PAM to follow the RHEL7 STIG guidelines http://rhel7stig.readthedocs.io/en/latest/. We do have some service accounts where their passwords are empty and use SSH keys to login. After the 60 days the service accounts password expire and get disabled. This is not the behavior I was expecting for a passwordless account, I did not think the password expiration would have applied to passwordless accounts. How do I tell PAM not to expire passwordless accounts?
In login.defs
PASS_MIN_DAYS 1
PASS_MAX_DAYS 60
PASS_WARN_AGE 7
FAIL_DELAY 4
In /etc/default/useradd
INACTIVE=0
Since the system doesn't care if these accounts have a password or not. You'll have to set PASS_MAX_DAYS to 99999 or what ever seem appropriate for these accounts.
Looks like I need to create these accounts as system accounts. From the useradd man page...
System users will be created with no aging information in /etc/shadow - https://linux.die.net/man/8/useradd
Example command.
useradd testuser --system
If you're using Ansible you can specify system in the user module.
- user:
name: testuser
group: testuser
system: yes
The result is visible in /etc/shadow. Notice no password max age entry for the testuser.
[root#localhost ~]# useradd testuser --system
[root#localhost ~]# grep testuser /etc/shadow
testuser:!!:17417::::::
[root#localhost ~]# grep ryan /etc/shadow
ryan:*:18976:1:60:7:0::
PAM solution offers a secure, streamlined way to authorize and monitor
all privileged users for all relevant systems.
IT teams commonly share root, Windows Administrator, and many other privileged credentials for convenience so workloads and duties can be seamlessly shared as needed. Now, with multiple people sharing the same account password, creates security, auditability, and compliance issues. Privileged accounts and credentials may be managed differently across various organizational silos, leading to inconsistent enforcement of best practices. Applications and service accounts frequently possess excessive privileged access rights by default, and also suffer from other serious security deficiencies.
The solution can be: "UsePAM no"
The solution can be: Set the users password to never expire
You might not want to change your PAM or sshd_config for compliance
reasons.
You might be using PasswordAuthentication no in sshd_config
You might have randomized passwords.
You might even have implemented CIS compliance.
Still if your users get the prompt, then root can tweak the password changed date:
for user in `grep ":x:[0-9]\{4\}" /etc/passwd|cut -d: -f1`; do chage -d today $user;
Attaching a few references:
https://access.redhat.com/solutions/5447861
https://documentation.suse.com/sles/15-SP2/html/SLES-all/sec-sec-user-management.html
Final Thoughts:
I believe that we need to keep our accounts authenticated to avoid any 3rd party or other irrelevant users accessing our data & information for the reason, that we may have confidential data that we may want to protect from diverse eyes that are on the web.
Also, you may take a look at this answer, if you need an another perspective of my answer (https://stackoverflow.com/a/46120833/18154805)
My campus runs a gitlab server. I am a user, not an admin. Campus policy forbids giving LDAP access to off-campus collaborators/co-authors, but has no problem in principle with allowing such folks to have "Developer" level access to non-public repositories on an invitational basis. Is it possible to have my off-campus colleagues send me an SSH key, and have the gitlab admin create a no-login user with that key who I could then add as a "Developer" member to selected projects? If it's do-able, what's the magic process so I can pass it along to the IT support folks?
Ask your IT support team to create Gitlab account with specific permissions for those developers without LDAP account. And then simply add them to the repositories and ask them to upload ssh keys.
Is there any method to define another level of security that users are forced to use a single predefined device, while connecting to linux server via SSH.
For instance, user1 (with his username/password) is only allowed to use pc1 to connect to linux server, so I need to define a white list concept in linux server, so if user1 attempts to login with pc2 with the correct username and password the connection will be denied. How can we uniquely address pc1 to user1? What kind of address I need to use? the mac address is not usable since machines are in a different subnet with server, and IP address is not always remaining the same.
For machines with fixed IPs, you add the following to your /etc/ssh/sshd_config:
DenyUsers *
AllowUsers user3
Match Address pc1
AllowUsers user1
Match Address pc2
AllowUsers user2
Line 1 may be too strict, forbidding access to any user by default. The example at line 2 allows user3 to log from any machine.
For use cases like that described by Mahsa, host-based authentication will be the way to go, with HostbasedUsesNameFromPacketOnly enabled.
More information at the sshd_config manpage and at this tutorial.
If you disable password authentication (PasswordAuthentication no), you can restrict the public key origin on ~/.ssh/authorized_keys
Take a look at: http://feeding.cloud.geek.nz/posts/hardening-ssh-servers/
How I can create users in Subversion.
For when people access the repository, only to see their projects or files and not those of the other people?
Answer depends on how Subversion server is setup.
If you're using httpd then it depends on how authentication is setup in httpd. See SVNBook | Authentication options.
If you're using svnserve then you can use the built in authentication setup.
And if you're using svn+ssh:// then either users log into ssh as their own user (in which case how to add users is a function of adding users to ssh) or they log into as a shared user and the --tunnel-user argument gets set.