LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 10-03-2005, 08:03 PM   #16
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15

Quote:
Originally posted by this213
There is no requirement for AllowGroups if you're using AllowUsers
That's the cleanest suggestion in my book, if true.

Can we get an official ruling on this from anyone else? I'd sure prefer to do this (just using "AllowUsers mattengland") rather then having to also put in the still-confusing-to-me AllowGroups additional requirement.

-Matt
 
Old 10-03-2005, 08:59 PM   #17
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
I'll try it at work tomorrow. I remember it not being clear when I first found this out also.
 
Old 10-03-2005, 10:09 PM   #18
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Can we get an official ruling on this from anyone else?
Official ruling = you testing and confirming.
 
Old 10-04-2005, 08:39 AM   #19
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 46
i just tested it, and it definitely works on my machine with just AllowUsers. i thought that needing AllowGroups sounded wrong, sorry TruckStuff. you must have had some other mis/configuration conflict going on to have it not work.


***edit: here's a log of the session:
Code:
jeff@moe:~ $ ssh -l sero homer -p xxxx
sero@homer's password: 
Last login: Tue Oct  4 09:22:58 2005 from moe
[1] sero:~ $ exit
logout
Connection to homer closed.

jeff@moe:~ $ ssh -l jeff homer -p xxxx
jeff@homer's password: 
Last login: Tue Oct  4 09:29:23 2005 from moe
[jeff@homer ~]$ exit
logout
Connection to homer closed.

*AllowUsers sero* added to config

jeff@moe:~ $ ssh -l sero homer -p xxxx
sero@homer's password: 
Last login: Tue Oct  4 09:33:49 2005 from moe
[1] sero:~ $ exit
logout
Connection to homer closed.

jeff@moe:~ $ ssh -l jeff homer -p xxxx
jeff@homer's password: 
Permission denied, please try again.
jeff@homer's password: 
Permission denied, please try again.
jeff@homer's password: 
Permission denied (publickey,password,keyboard-interactive).
jeff@moe:~ $

so mattengland: the solution to your problem is just to take out the DenyUsers *.



Last edited by slackhack; 10-04-2005 at 08:49 AM.
 
Old 10-04-2005, 09:43 AM   #20
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by slackhack
so mattengland: the solution to your problem is just to take out the DenyUsers *.
Suuweeet. Thanks for this work.

I'll also check this out next time I have to do some server maintenance and need to block logins.

Thanks again,
-Matt
 
Old 10-04-2005, 09:53 AM   #21
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by slackhack
i just tested it, and it definitely works on my machine with just AllowUsers. i thought that needing AllowGroups sounded wrong, sorry TruckStuff. you must have had some other mis/configuration conflict going on to have it not work.
Well, screw me. Did the same thing and it worked fine. Guess it was some other config issue at the time.
 
Old 10-04-2005, 10:01 AM   #22
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
imho, the sshd_config syntax needs an overhaul. It's way too easy for smart admins to get confused and/or things to break in general.

Do any of the sshd developers read this board?

-Matt
 
Old 10-04-2005, 10:20 AM   #23
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
What would you overhaul? As I mentioned in my first post to you, it's a matter of figuring out the precedence. It seems intuitive that
Code:
DenyUsers *
would deny everyone.

In some Linux applications, the accept list is evaluated first and in others the deny list is evaluated first. I imagine they had good reasons for making the choice they did.
 
Old 10-04-2005, 11:57 AM   #24
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by anomie
What would you overhaul? As I mentioned in my first post to you, it's a matter of figuring out the precedence. It seems intuitive that
Code:
DenyUsers *
would deny everyone.

In some Linux applications, the accept list is evaluated first and in others the deny list is evaluated first. I imagine they had good reasons for making the choice they did.
...I'd just like to know them. I suspect they are that it's easier to construct the software rather then easier to use it. Such is the way of life with many software things; alas, usability is key here when experience sysadmins debate on a thread this long to figure out the right answer for something as critical as system authentication/accessibility security.

In general, I would argue that:

Code:
DenyUsers *
AllowUser johndoe
Makes intuitive sense to most humans that johndoe would be the only person with access to the system...at least to those who are not already sshd-ized. Alas, maybe I'm naive and/or am lacking in sufficient experience.

Technically speaking: I'd ask sshd to evaluate the entire sshd_config file, and allow for modifications of earlier commands, before enforcing a security policy.

Either that...or simply come up with an entirely different command set and human interaction that has fewer faulty interpretations. Something completely different. I don't have suggestions on this at the moment, but given my past experience with similar things, I supsect it is quite possible.

-Matt
 
Old 10-04-2005, 12:03 PM   #25
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
The tcp wrappers mechanism works the way you are thinking of.

There is an allow file, which it scans first. There is also a deny file, which it scans second.

So an allowed service / IP in the first file will override a blanket deny in the second file, which lets you set up rules like "let this IP range in for this service" and then later "block everyone".

I guess it is arguable which is more intuitive.
 
Old 10-04-2005, 01:36 PM   #26
this213
Member
 
Registered: Dec 2001
Location: ./
Distribution: Fedora, CentOS, RHEL, Gentoo
Posts: 167

Rep: Reputation: 34
Since I work with firewalls quite a bit, I would argue that:
Code:
DenyUsers *
AllowUsers johndoe
would still block everyone because the system would evaluate DenyUsers first and stop when the first rule matched.

Something like this:
Code:
AllowUsers johndoe
DenyUsers *
would make more sense, because the system would evaluate AllowUsers BEFORE DenyUsers.

However, we're not talking about a firewall here. Having "DenyUsers *" anywhere in sshd_config will, in fact deny all of the users regardless of any other settings you may have - regardless of precedence. Go ahead and try it.

The reasoning for this is security minded. If you happen to have a complex set of allows and denies, the creators want you to be able to block access to the service quickly without having to rewrite everything. At least, that's my take on it.

Personally, I think it works beautifully as designed. If you have an allow directive, you have no need for deny directives, and vice versa.
 
Old 10-04-2005, 08:49 PM   #27
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by this213
The reasoning for this is security minded. If you happen to have a complex set of allows and denies, the creators want you to be able to block access to the service quickly without having to rewrite everything. At least, that's my take on it.
Ok, I can dig that. Makes sense.

-Matt
 
Old 11-04-2007, 01:43 AM   #28
gnuzilla
LQ Newbie
 
Registered: Apr 2006
Location: Chagrin Falls, OH
Distribution: Ubuntu / Debian
Posts: 17

Rep: Reputation: Disabled
i hope somebody fixes the man page

i hope someone edits the manpage, some ofthose pages are not in the best shape.
 
Old 11-04-2007, 02:53 PM   #29
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Quote:
Originally Posted by gnuzilla View Post
i hope someone edits the manpage, some ofthose pages are not in the best shape.
This thread has been dead for over two years. What was the point of resurrecting it? If you want the man page to be improved please contact the upstream developers. This thread is being closed so it can rest in peace.
 
0 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: deny all users, except one hamish Linux - Security 13 09-07-2008 07:58 PM
Slackware 10.0 and hosts.deny in reguards SSHD Smillie Slackware 10 03-24-2005 10:53 AM
Howto deny incoming connection to port 80? sys7em Linux - Security 5 10-31-2004 01:19 PM
Deny some users access to the web with IPtables? osX-linux Linux - Networking 4 06-22-2003 01:42 PM
how to deny all users in vsftp except one? lzyking Linux - Software 7 12-11-2002 10:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration