sshd_config a AllowGroups + AllowUsers

Miroslav Lachman 000.fbsd at quip.cz
Tue Apr 4 21:42:47 CEST 2017


Obvykle pouzivam v sshd_config AllowGroups, aby jen uzivatele z 
konkretni skupiny mohli pouzit prihlaseni pres SSH. Ted jsem chtel 
pridat jeste jednoho specialniho uzivatele z konkretni IP pomoci 
AllowUsers user at 1.2.3.4, ale narazil jsem, ze to pak povoluje pristup 
jen tomuhle uzivateli a nemuze se prihlasit nikdo jiny, ani ti, co jsou 
v AllowGroups

Zkousel jsem hledat a nachazim rozdilne informace.

Napriklad tady je
http://www.unixlore.net/articles/five-minutes-to-even-more-secure-ssh.html

AllowUsers vader at 10.0.0.1 maul at sproing.evillittleman.net sidious 
tyranus@*.evillitleman.net
AllowGroups wheel staff

This tells sshd to only allow connections from the user vader and only 
from the IP address 10.0.0.1. The user maul is also allowed, but only 
from the host sproing.evillittleman.net. User sidious is allowed from 
anywhere, and the user tyranus is also allowed, from any host in the 
evillittleman.net domain (the asterisk matches zero or more characters).

The AllowGroups line allows login only from users whose primary group 
name or supplementary group list match one of 'wheel' or 'staff'.

Keep in mind that using AllowUsers or AllowGroups means that anyone not 
matching one of the supplied patterns will be denied access by default.


V man sshd_config(5) se pise
The allow/deny directives are processed in the following order: 
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

Z toho mi prislo, ze by to melo fungovat tak, jak jsem si predstavoval. 
Ale evidentne to tak neni.

Mate s timhle nekdo nejake hlubsi zkusenosti?
Je mozna povolit "kohokoliv ze skupiny" a zaroven "konkretniho uzivatele 
z IP"?

Mirek


More information about the Users-l mailing list