linux - SSHD AllowGroups, controlling access by groups -


i having issue sshd on ubuntu. attempting provide more robust security on ssh server using allowgroups restrict accounts can log on remotely. unfortunately, appears users not in allowed group can still login , issue commands.

i using: openssh_6.6.1p1 ubuntu-2ubuntu2.3, openssl 1.0.1f 6 jan 2014

i have added following lines /etc/ssh/sshd_config

allowgroups ssh  denygroups *

i have 2 user accounts created

$ id test1 uid=1002(test1) gid=1003(test1) groups=1003(test1),113(ssh) $ id test2 uid=1003(test2) gid=1004(test2) groups=1004(test2)

user test2 can still ssh remote terminal.

when test sshd server configuration appears include allowgroups setting of group ssh

$ sudo /usr/sbin/sshd -t  port 22 protocol 2 addressfamily listenaddress 0.0.0.0:22 listenaddress [::]:22 usepam 1 serverkeybits 1024 logingracetime 120 keyregenerationinterval 3600 x11displayoffset 10 maxauthtries 6 maxsessions 10 clientaliveinterval 0 clientalivecountmax 3 permitrootlogin without-password ignorerhosts yes ignoreuserknownhosts no rhostsrsaauthentication no hostbasedauthentication no hostbasedusesnamefrompacketonly no rsaauthentication yes pubkeyauthentication yes kerberosauthentication no kerberosorlocalpasswd yes kerberosticketcleanup yes gssapiauthentication no gssapikeyexchange no gssapicleanupcredentials yes gssapistrictacceptorcheck yes gssapistorecredentialsonrekey no passwordauthentication yes kbdinteractiveauthentication no challengeresponseauthentication no printmotd no printlastlog yes x11forwarding yes x11uselocalhost yes permittty yes strictmodes yes tcpkeepalive yes permitemptypasswords no permituserenvironment no uselogin no compression delayed gatewayports no usedns yes allowtcpforwarding yes useprivilegeseparation yes pidfile /var/run/sshd.pid xauthlocation /usr/bin/xauth ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com macs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com versionaddendum  kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org loglevel info syslogfacility auth authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2 hostkey /etc/ssh/ssh_host_rsa_key hostkey /etc/ssh/ssh_host_dsa_key hostkey /etc/ssh/ssh_host_ecdsa_key hostkey /etc/ssh/ssh_host_ed25519_key allowgroups ssh denygroups acceptenv lang acceptenv lc_* authenticationmethods subsystem sftp /usr/lib/openssh/sftp-server maxstartups 10:30:100 permittunnel no ipqos lowdelay throughput rekeylimit 0 0 permitopen

am incorrect in understanding of function of allowgroups? have conflicting setting? have example of working sshd_config allowgroups study? thanks.

you may accomplish same pam module pam_listfile. 

auth    required       pam_listfile.so \         onerr=fail item=group sense=allow file=/etc/logingroups

it means groups listed in /etc/logingroups allowed authenticate in server. check man page: http://linux.die.net/man/8/pam_listfile


Comments

Post a Comment

Popular posts from this blog

1111. appearing after print sequence - php -

morning, i have code takes string of shoe sizes, explodes , puts in table. code works , info displayed correctly on page after table there few 1's after table. i'm confused this. so table looks (in columns of 3 on webpage) available in following sizes: 3 4 5 6 9 10 111 here's codes, purpose of example $x = 3|4|6|10|9 function get_sizes_pipe($x) { $counter = 0; $splits = explode("|",$x); asort($splits); $x = print "<table class='greentable'>"; $x .= print "<thead><tr><th scope='col' colspan='3' abbr='starter'>available in following sizes:</th></tr></thead><tbody><tr>"; foreach ($splits $split) { $entry = print "<td>".$split."</td>"; if($counter == 2){ $entry .= print "</tr><tr>"; $counter =0; } else { $counter++; ...
Read more

java - WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/board/] in DispatcherServlet with name 'appServlet' -

this question has answer here: why spring mvc respond 404 , report “no mapping found http request uri […] in dispatcherservlet”? 3 answers i trying making simple bbs i'm encountering following error, warn : org.springframework.web.servlet.pagenotfound - no mapping found http request uri [/board/] in dispatcherservlet name 'appservlet' i have tried solve error many times, have failed. how can solve error? here web.xml, controllerand , servlet-context. my web.xml <?xml version="1.0" encoding="utf-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <filter> <filter-nam...
Read more

Ruby on Rails, ActiveRecord, Postgres, UTF-8 and ASCII-8BIT encodings -

weirdest error, who’s challenge try , me? spent hours yesterday on , it’s magic. can't believe happening , it's driving me crazy. btw, using: rails 4.2.3 ruby 2.2.3 pg 0.18 encoding.default_internal = encoding.default_external = utf-8 config.encoding = 'utf-8' it has postgres, activerecord , encodings! turns out we’ve been getting these errors whenever create new users on database special characters: encoding::undefinedconversionerror: "\xc3" ascii-8bit utf-8 \xc3 may vary depending on characters. weird part we’ve set since beginning utf-8. makes no sense , digged it, , used script: user.all.each |user| user.attributes.each |name, value| if value.is_a? string puts user.email + name.encoding.to_s + value.encoding.to_s end end end and output of 1 of users, users same: dr_lottahelp@blahblah.comutf-8utf-8 dr_lottahelp@blahblah.comutf-8ascii-8bit dr_lottahelp@blahblah.comutf-8ascii-8bit dr_lottahelp@blahblah.comutf-8asci...
Read more