Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to deny all sshd logins except for one for the duration of some server maintenance (on RH9 machine). I want to include the one user in case I get kicked off the box for some reason (bad network connection) and thus prevent myself from re-logging in.
I tried putting the following in /etc/ssh/sshd_config:
Code:
DenyUsers *
AllowUsers johndoe
..but that didn't seem to work. Might anyone have any additional suggestions?
The only things I can think to do is list _all_ the logins (but simply putting /etc/passwd through a filter to get all the logins on one line), but I'd like to find a more-effective process for handling this requirement in the future.
AllowGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches one
of the patterns....
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. `*' and `?' can be
used as wildcards in the patterns.
For completeness sake, and only on platforms where services use PAM, you could also edit /etc/pam.d/[servicename] and include an listfile line in the auth section. This gives you the ability to add usernames to a plain text file to be denied/allowed (according to the "sense" statement you supply listfile with). I use it because it's centralised, faster, can be used across (PAM-ified) services and doesn't need me to edit each and every daemon config.
I'm missing something. Will not the above code allow all the users in group=users as well as johndoe?
Also, what happens when I don't want to have to know and/or manage all the different groups on a system? I just want to disallow everyone except one *user* without having to track down if there are more users not constrained by the group=user.
Originally posted by unSpawn For completeness sake, and only on platforms where services use PAM, you could also edit /etc/pam.d/[servicename] and include an listfile line in the auth section. This gives you the ability to add usernames to a plain text file to be denied/allowed (according to the "sense" statement you supply listfile with). I use it because it's centralised, faster, can be used across (PAM-ified) services and doesn't need me to edit each and every daemon config.
I'm not familiar with PAM, how it operates, nor how to manage it. Got a recommend link where I can read more?
Originally posted by mattengland I'm missing something.
Yes, you are. What you are missing is:
Code:
man sshd_config
man pages are always a good place to start (or even Google).
Quote:
Originally posted by mattengland Will not the above code allow all the users in group=users as well as johndoe
No. Again from man sshd_config:
Code:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only foruser names that match one of the patterns.
You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
Got a recommend link where I can read more?
It's gotten lost somewhere in the depths of /usr/share/doc/pam-[0-9].* :-]
Check if you got a file "/lib/security/pam_listfile.so".
If you got /etc/pam.d/ssh, locate the lines starting with "auth" and add this line beneath the last "auth" statement:
Originally posted by TruckStuff Yes, you are. What you are missing is:
Code:
man sshd_config
man pages are always a good place to start (or even Google). ...
You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
to be fair, the man page really doesn't say that though, does it?
Code:
AllowUsers
This keyword can be followed by a list of user name patterns, sepa-
rated by spaces. If specified, login is allowed only for user names
that match one of the patterns. '*' and '?' can be used as wild-
cards in the patterns. Only user names are valid; a numerical user
ID is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are sepa-
rately checked, restricting logins to particular users from particu-
lar hosts.
that doesn't mention anything about also having to have the AllowGroups directive present in the configuration. how is anyone supposed to know that (if in fact it's true)? just by guessing? there are dozens of other directives in the man pages, also. which other ones do we have to guess have to be present when using AllowUsers, or any other option?
if you read the AllowGroups description, it likewise doesn't mention anything about having to have that option specified if you are using AllowUsers. in fact, it even says that all groups are allowed by default if you don't include it!
Code:
AllowGroups
This keyword can be followed by a list of group name patterns, sepa-
rated by spaces. If specified, login is allowed only for users
whose primary group or supplementary group list matches one of the
patterns. '*' and '?' can be used as wildcards in the patterns.
Only group names are valid; a numerical group ID is not recognized.
By default, login is allowed for all groups.
so if anything, the logical thing to conclude from what the man pages say is that by not specifying AllowGroups, all groups are allowed, and you can then specify which users are allowed by using the AllowUsers option. anything concluded other than that would have to be called mindreading, clairvoyance (or poor documentation ).
Originally posted by TruckStuff Not really, that's why I told him.
Quote:
Originally posted by TruckStuff You must also have the AllowGroups directive, otherwise, sshd won't let johndoe in b/c he is not in an authorized group.
please show me in the AllowUsers description where it says you also have to include the AllowGroups directive if you're using AllowUsers? or maybe i'm just misunderstanding you, too.
Originally posted by TruckStuff Sorry, I was trying to agree with you.
okay. i just didn't understand why you were referring him there if it wasn't giving accurate info. but as long as we're in agreement, i'm fine with that.
There is no requirement for AllowGroups if you're using AllowUsers
SSH will attempt to deny access from anyone it thinks you are trying to specify, by saying:
DenyUsers *
the fact that you're putting in an AllowUsers never gets read, because the daemon has already denied access to all users.
Using AllowUsers and AllowGroups, the daemon automatically figures you want to deny everyone else.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.