Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have a linux(SUSE 10) server that authenticates against AD(Windows 2003). Problem is anyone with an AD account can ssh in to the server. We don't want anyone to be able to login via ssh only the users in one particular group.
I have tried editing the sshd_config file and adding the group to AllowGroups but this doesn't work. I have searched google and have not had much luck in finding anything.
I use AllowUsers <my_username>, seem to work great, i thought AllowGroups shall work the same way.
did you restart sshd? try to start it in verbose mode and check the outputs when you connect: why would it allow to login.
I use AllowUsers <my_username>, seem to work great, i thought AllowGroups shall work the same way.
did you restart sshd? try to start it in verbose mode and check the outputs when you connect: why would it allow to login.
did you put your domain\\username or just your username? yes i restarted the sshd after each change i made to the sshd_config file.
This keyword can be followed by a list of user name patterns, separated by spaces.
Why would i possibly want a domain name(in a weird form) there?
In this context i only have AllowUsers <my_username> and it only allows my account to login, all others get permission denied, as expected.
Please, pastebin your sshd_config and try running sshd in verbose mode and then try connecting it and copy that outputs also.
Why would i possibly want a domain name(in a weird form) there?
Because i tried everything else.
Quote:
In this context i only have AllowUsers <my_username> and it only allows my account to login, all others get permission denied, as expected.
Please, pastebin your sshd_config and try running sshd in verbose mode and then try connecting it and copy that outputs also.
Below is a snippet of my sshd_config
Code:
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes
AllowUsers da_xxxxxxxxx
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
da_xxxxxxxx is my domain username. i also tried domain\\da_xxxxxx , domain\da_xxxxxxx, domain+da_xxxxxxxx
and that still allows other users to log in?
you didn't post your entire config, do you have some other rules there(allowgroup,denygroup,denyusers)?
did you try running sshd in verbose(-v) mode and see why is that happening?
and that still allows other users to log in?
you didn't post your entire config, do you have some other rules there(allowgroup,denygroup,denyusers)?
did you try running sshd in verbose(-v) mode and see why is that happening?
No it doesn't allow anyone in.
I don't have any other deny or allow statements
If I look at var/log/messages it just says illegal user.
weird.
well, this is my config, it only allows my username in: http://codepad.org/Mg9kGXsp
hope this helps.
here, when i try to log in as 'nonadm', it fails and writes this kind of stuff into /var/log/auth.log (deb):
Code:
Jan 10 04:31:36 srvr sshd[14355]: User nonadm from 94.41.*.* not allowed because not listed in AllowUsers
Jan 10 04:31:36 srvr sshd[14355]: Failed none for invalid user nonadm from 94.41.*.* port 14578 ssh2
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
