How to disable user ssh login under Linux

Jephe Wu -

Objective:  explain all kinds of ways for disablinig user shell access under Linux and their pros and cons
Environment: CentOS 6.4 64bit


1. using /sbin/nologin or /bin/false 
useradd jephe -s /sbin/nologin
chsh -s /sbin/nologin

pros: disable shell access
cons: doesn't disable SSH tcp port forwarding.

e.g. user can use ssh to server to enable port forwarding as follows without actual shell access:

ssh -N -L 2222:remote:22 server

2. password lock/unlock

passwd -l jephe and passwd -u jephe
usermod -L jephe and usermod -U jephe

Pros: disable shell access with using /etc/shadow password
cons: if user had configured public key authentication before you lock password, user can still ssh in.

related command: chage -d 0 # to make user password expire so that user have to change password immediately upon login, you can run 'chage -l user' to check.

chage -d 0 is different with chage -E0, chage -d 0, make password expire, to  force user to change password after login, chage -E0, make account expire, totally disable user for the system.

3. make user account expire totally
chage -E0 jephe and reverse it by chage -E-1 jephe

Pros and cons: totally disable user account, user is unable to ssh anyway
If you need to totally disable user ssh, you should use this way.

[root@server1 ~]# chage -E0 corkroo
[root@server1 ~]# getent shadow corkroo
[root@server1 ~]# chage -E-1 corkroo
[root@server1 ~]# getent shadow corkroo

4. force sftp access only, not ssh

User still have normal shell /bin/bash, but configure /etc/ssh/sshd_config to force user to use sftp only, not shell access
[root@server1 ~]#   tail -7 /etc/ssh/sshd_config
Subsystem sftp internal-sftp

Match User corkroo
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

[root@server1 ~]# getent passwd corkroo

[root@server1 ~]# ssh corkroo@localhost
Password:  # then it's hanging here.

Retrieve directory data underneath NFS mounted directory

Jephe Wu - 

Problem:  we need to retrieve data from certain directory before we did NFS mount on the same directory,however, we cannot umount it since it's production environment
Concept:  use mount --bind / to another directory to retrieve data without umounting NFS 

1. check the existing files under /u05, for testing purpose, I have copied some archive log files from /u03 to /u05.
root@linuxtechres:/u05# ll
total 420
-rw-r----- 1 root root 229888 Oct 15 10:48 1_21996_817700775.arc
-rw-r----- 1 root root 180736 Oct 15 10:48 1_22005_817700775.arc

2. NFS mount /u05 which is using Netapp NFS storage for controlfile 
root@linuxtechres:/# mount /u05
root@linuxtechres:/# cd /u05
root@linuxtechres:/u05# ll
total 4
drwxr-xr-x 3 oracle dba 4096 Jun 28 09:51 control

3. Now we need to retrieve the original files under /u05 
root@linuxtechres:/u05# mkdir /tmp/recover
root@linuxtechres:/u05# mount --bind / /tmp/recover   # use / since original /u05 content is under / partition

4. check mounted directory 
root@linuxtechres:/u05# cd /tmp/recover/
root@linuxtechres:/tmp/recover# ls
appdata boot home lost+found mnt proc selinux sys u01 u04 var
backup dev lib media net root srv tftpboot u02 u05
bin etc lib64 misc opt sbin stage tmp u03 usr

root@linuxtechres:/tmp/recover# cd u05
root@linuxtechres:/tmp/recover/u05# ll
total 420
-rw-r----- 1 root root 229888 Oct 15 10:48 1_21996_817700775.arc
-rw-r----- 1 root root 180736 Oct 15 10:48 1_22005_817700775.arc

5. compare file md5sum
root@linuxtechres:/tmp/recover/u05# md5sum 1_21996_817700775.arc
f0af8a88658071aab2babab74c614159 1_21996_817700775.arc

root@linuxtechres:/tmp/recover/u05# md5sum /u03/oraarch/JEPHE/1_21996_817700775.arc
f0af8a88658071aab2babab74c614159 /u03/oraarch/JEPHE/1_21996_817700775.arc

6. umount /tmp/recover after recovery
root@linuxtechres:/tmp/recover/u05# mount | grep recover
/ on /tmp/recover type none (rw,bind)
root@linuxtechres:/tmp/recover/u05# cd /
root@linuxtechres:/# umount /tmp/recover
root@linuxtechres:/# mount | grep recover

Note: you may also use debugfs to retrieve data