sshd_config a AllowGroups + AllowUsers
Miroslav Lachman
000.fbsd at quip.cz
Tue Apr 4 21:42:47 CEST 2017
Obvykle pouzivam v sshd_config AllowGroups, aby jen uzivatele z
konkretni skupiny mohli pouzit prihlaseni pres SSH. Ted jsem chtel
pridat jeste jednoho specialniho uzivatele z konkretni IP pomoci
AllowUsers user at 1.2.3.4, ale narazil jsem, ze to pak povoluje pristup
jen tomuhle uzivateli a nemuze se prihlasit nikdo jiny, ani ti, co jsou
v AllowGroups
Zkousel jsem hledat a nachazim rozdilne informace.
Napriklad tady je
http://www.unixlore.net/articles/five-minutes-to-even-more-secure-ssh.html
AllowUsers vader at 10.0.0.1 maul at sproing.evillittleman.net sidious
tyranus@*.evillitleman.net
AllowGroups wheel staff
This tells sshd to only allow connections from the user vader and only
from the IP address 10.0.0.1. The user maul is also allowed, but only
from the host sproing.evillittleman.net. User sidious is allowed from
anywhere, and the user tyranus is also allowed, from any host in the
evillittleman.net domain (the asterisk matches zero or more characters).
The AllowGroups line allows login only from users whose primary group
name or supplementary group list match one of 'wheel' or 'staff'.
Keep in mind that using AllowUsers or AllowGroups means that anyone not
matching one of the supplied patterns will be denied access by default.
V man sshd_config(5) se pise
The allow/deny directives are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
Z toho mi prislo, ze by to melo fungovat tak, jak jsem si predstavoval.
Ale evidentne to tak neni.
Mate s timhle nekdo nejake hlubsi zkusenosti?
Je mozna povolit "kohokoliv ze skupiny" a zaroven "konkretniho uzivatele
z IP"?
Mirek
More information about the Users-l
mailing list