Login/Register
sshd_config AllowUsers
Asked Answered
sshd
S

4

15

I'm trying a very specific configuration for the AllowUsers directive that follows the logic below:

  • Allow user1 to ssh from host1
  • Deny user1 to ssh from any other host
  • Allow all other users from any host

I've tried the following:

AllowUsers user1@host1 user1@!* *@*

Unfortunately, when ever the @ is present, it negates the previous parameters and no matter what the order is.

I have two questions; is there an order to which the parameters within the AllowUsers directive are executed and is the logic above even possible?

Susette answered 7/2, 2013 at 21:38 Comment(0)
P
14

sshd_config man says that the order of processing is:

The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

So if the "user1" also has its own group "user1" you can use this configuration:

AllowUsers *@host1
DenyGroups user1
AllowGroups *

Another option is to use negation:

DenyUsers user1@!host1
AllowUsers *@*
Pinkeye answered 24/11, 2016 at 10:41 Comment(1)
One word of caution. Multiple entries on the AllowUsers statement that use the same user in user@host notation, can cause the subsequent entries to not be evaluated. It is more reliable to enter separate AllowUsers statements each with their own user@host entries. I specifically noticed this behavior in Ubuntu 16.04.Erector
C
3

The logic above is not possible with just one instance of sshd. However it is possible if you run a second sshd instance (configured to listen on a different port).

Configure the first instance with:

DenyUsers user1

Configure the second instance with:

AllowUsers user1@host1

Tell user1 to connect to the second instance (different port). Tell all other users to connect to the first instance (default port).

Caril answered 7/6, 2014 at 3:52 Comment(0)
R
1

NOTE: You could also allow or deny ssh access by using SSH PAM CONFIG (recommended for a large number of users) or with TCP Wrappers but you would need to get the libwrap.a library to make it work with SSH.

If you want to restric access via SSHD CONFIG, you can use these four entries:

AllowUsers AllowGroups DenyUsers DenyGroups

The pattern matching occurs in the following order: DenyUsers,AllowUsers,DenyGroups,AllowGroups. Which means that, for example, if you add a user to both entries (AllowUsers and DenyUsers) this would result in the user being denied no matter the order in which the rules appear in the config script.

To accomplish the 3 restrictions you mention, you could try creating a group sshgroup and configure every user account, except for user1, to be included in the group. Finally you could create a script to add the users in sshgroup to a rule in your sshd_config file that always includes:

AllowUsers user1@host1

resulting in:

AllowUsers user1@host1 user2 user3...

To keep the sshd config file up to date, you could call the script every time a user is created/deleted. Don't forget to restart the ssh daemon after every change to the config file.

Here you can find a script "pop_user_allow_ssh" that is also trying to generate a user list.

You don't mention your OS but this is how I did it on AIX. I hope the idea helps.

Revolt answered 22/8, 2013 at 0:4 Comment(0)
G
1
# Deny user1 from all hosts but host1
DenyUsers user1@!host1,*
# Allow all users from any host that are not denied yet
AllowUsers *@*
Georgeannageorgeanne answered 28/9, 2017 at 9:21 Comment(1)
Please try to answer both questions with an explanation.Tradesman

© 2022 - 2024 — McMap. All rights reserved.