SSH message after login, then restrict the user from using account

Question

I want to "block/restrict" one of the accounts on my dedicated server, but I want user to allow to log in, then i want the message to pop up for him (for example in putty) and then close connection (so the putty window will be up and he can read it, but he can't do/type anything in console).

I remember that in the old days i was doing something like that on freebsd, but kinda can't find any useful informations about how to approach this problem.

Any help?

pa4080 · Accepted Answer · 2017-04-17T15:01:52.577

1. Edit /etc/ssh/sshd_config and add these directives at the bottom:

Match User guest
    Banner /etc/ssh/banner_guest
    DenyUsers guest
Match all

Change guest with the actual username.

2. Create the banner file: sudo nano /etc/ssh/banner_guest, and type your message inside, for example:

+------------------+
| Get out of here! |
+------------------+

3. Restart the SSH server:

sudo systemctl restart ssh.service

The result would be:

EDIT:

Please note regardless in the above example PubkeyAuthentication is available and there is a valid /home/guest/.ssh/authorized_keys file the user will get Permission denied (publickey).

If PasswordAuthentication is available the user will be asked few times for their password and in the end will get Permission denied (password). So if you want to further tease him (or her), change the above directives in this way:

Match User guest
    PasswordAuthentication yes
    PubkeyAuthentication no
    MaxAuthTries 20
    Banner /etc/ssh/banner_guest
    DenyUsers guest
Match all

For me the cleanest way is just show the message and kick them:

Match User guest
    PasswordAuthentication no
    PubkeyAuthentication no
    MaxAuthTries 1
    Banner /etc/ssh/banner_guest
    DenyUsers guest
Match all

The result of the above will be identical as the result of the first suggestion but the message Permission denied (publickey) (Server refused our key) will not appear.

score 1 · Answer 2 · edited Apr 21 '17 at 23:40

1

I guess you are referring to /usr/sbin/nologin shell.

It is much simpler than the other answer implementing something like this more complex way. Just add:

Match User guest
  ForceCommand /usr/sbin/nologin

And the user will get the message:

This account is currently not available.

(or other configured in /etc/nologin.txt)

edited Apr 21 '17 at 23:40

pa4080

30,621

answered Apr 17 '17 at 16:06

Jakuje

6,793

SSH message after login, then restrict the user from using account

2 Answers2

Linked