LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-06-2013, 10:26 AM   #1
snjksh
Member
 
Registered: Jan 2008
Location: Pune, India
Distribution: RHEL
Posts: 34

Rep: Reputation: 0
AllowUsers and AllowGroup not working together


Hi,

AllowUsers user or AllowGroup group in sshd config file is working fine.

But they are not working together. Is it possible to use both of them together ?

I am using RHEL 6.4.
 
Old 10-06-2013, 05:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
'man sshd_config' says: "The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups." so it kind of depends on how you set things up. Post what you're actually trying to accomplish?
 
Old 10-08-2013, 02:06 AM   #3
snjksh
Member
 
Registered: Jan 2008
Location: Pune, India
Distribution: RHEL
Posts: 34

Original Poster
Rep: Reputation: 0
Hi,

Requirement :

AllowUsers user-a user-b

AllowGroup group-1

user-c and user-d are member of group-1.
 
Old 10-08-2013, 02:57 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
So how would
DenyUsers user-c user-d
AllowUsers user-a user-b

work then?
*BTW if the sshd service uses PAM there's also pam_access, pam_group and pam_listfile which may allow for more fine-grained access controls.
 
Old 10-09-2013, 09:17 AM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
Also ... in a real-world corporate setting, it doesn't take too long to see the virtue of a centrally-managed arrangement such as one built on Kerberos or LDAP (nee OpenDirectory). You see, right now you're setting up one-of-a-kind rules in a one-of-a-kind place, probably with the intent of matching rules that exist somewhere-else for the same group of people, and the fundamental problem here can only get worse; more unmanageable.

If you have any sort of "substantial" number of rules to deal with here, and especially if you need to match "the settings that exist for the same people in other contexts," seriously consider centralizing that process. Linux, thanks to PAM, is perfectly capable of it.

There's actually a rather serious sort of vulnerability that comes from finding "the exception to the rule," and one of the classic places to do that is by seeking-out what is difficult-to-manage. "Perhaps it would be possible to worm into the Linux system and, from there, maybe be accepted by the rest of the system as actually being that person ..." If the Linux system, instead, conforms to the corporate-world by virtue of respecting the same authority that everyone else does, it will no longer present that vulnerability to the enterprise. This is an absolutely pure-human consideration, but, as such, it is maybe more-real than bits and bytes alone would suggest.

Last edited by sundialsvcs; 10-09-2013 at 09:21 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sshd_conf AllowUsers access jschiwal Linux - Security 5 11-18-2013 04:02 AM
SED - minor changes work - Larger doesn't (working and non working code included) Nimoy Programming 17 09-22-2007 05:34 PM
sshd_config allowusers allowgroups wolfipa Linux - Software 2 08-02-2007 06:59 AM
Fortemedia FM801 card not working under FC5 on Intel 845 but working with windows morningkiran Linux - Hardware 0 11-30-2006 08:57 AM
AllowUsers in sshd_config Won't Use IP Range lnxconvrt Linux - Security 4 11-29-2004 12:28 AM


All times are GMT -5. The time now is 10:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration