[SOLVED] AllowUsers and AllowGroup not working together
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
'man sshd_config' says: "The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups." so it kind of depends on how you set things up. Post what you're actually trying to accomplish?
So how would DenyUsers user-c user-d
AllowUsers user-a user-b
work then?
*BTW if the sshd service uses PAM there's also pam_access, pam_group and pam_listfile which may allow for more fine-grained access controls.
Also ... in a real-world corporate setting, it doesn't take too long to see the virtue of a centrally-managed arrangement such as one built on Kerberos or LDAP (nee OpenDirectory). You see, right now you're setting up one-of-a-kind rules in a one-of-a-kind place, probably with the intent of matching rules that exist somewhere-else for the same group of people, and the fundamental problem here can only get worse; more unmanageable.
If you have any sort of "substantial" number of rules to deal with here, and especially if you need to match "the settings that exist for the same people in other contexts," seriously consider centralizing that process. Linux, thanks to PAM, is perfectly capable of it.
There's actually a rather serious sort of vulnerability that comes from finding "the exception to the rule," and one of the classic places to do that is by seeking-out what is difficult-to-manage. "Perhaps it would be possible to worm into the Linux system and, from there, maybe be accepted by the rest of the system as actually being that person ..." If the Linux system, instead, conforms to the corporate-world by virtue of respecting the same authority that everyone else does, it will no longer present that vulnerability to the enterprise. This is an absolutely pure-human consideration, but, as such, it is maybe more-real than bits and bytes alone would suggest.
Last edited by sundialsvcs; 10-09-2013 at 08:21 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.