Sshd_config AllowUsers

Question

Sshd_config AllowUsers

I am trying to set up a very specific configuration for the AllowUsers directive that follows the logic below:

Allow user1 to ssh from host1
Deny user1 to ssh from any other host
Allow all other users from any host

I've tried the following:

AllowUsers user1@host1 user1@!* *@*

Unfortunately, when @ is present, it overrides the previous options and no matter what order.

I have two questions; is there an order in which the parameters in the AllowUsers directive are executed and is the above logic?

+3

sshd

user1967720 07 Feb 13 at 21:38

source to share

4 answers

Alex baban · Answer 1 · 2014-06-07T03:52:54+0000

The above logic is not possible with only one instance of sshd. However, this is possible if you start a second sshd instance (configured to listen on a different port).

Configure the first instance with

DenyUsers user1

Set up the second instance with:

AllowUsers user1@host1

Tell user1 to connect to the second instance (different port). Tell all other users to connect to the first instance (default port).

keypress · Answer 2 · 2016-11-24T10:41:46+0000

sshd_config man says the processing order is:

Allow / deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

So, if "user1" also has its own group "user1", you can use this configuration:

AllowUsers *@host1
DenyGroups user1
AllowGroups *

Another option is to use negation:

DenyUsers user1@!host1
AllowUsers *@*

nay743 · Answer 3 · 2013-08-22T00:04:55+0000

NOTE. You can also allow or deny ssh access using SSH PAM CONFIG (recommended for a large number of users) or using TCP Wrappers, but you will need to get the libwrap.a library for it to work with SSH.

If you want to restrict access through SSHD CONFIG, you can use these four entries:

AllowUsers AllowGroups DenyUsers DenyGroups

Patterns match in the following order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. This means that, for example, if you add a user to both entries (AllowUsers and DenyUsers), this will cause the user to be denied regardless of the order in which the rules appear in the config script.

To meet the above 3 restrictions, you can try creating an sshgroup and configuring every user account except user1 to be included in the group. Finally, you can create a script to add users to the sshgroup to the rule in the sshd_config file, which always includes:

AllowUsers user1 @ host1

as a result:

AllowUsers user1 @ host1 user2 user3 ...

To update the sshd config file you can call the script every time the user is created / deleted. Remember to restart the ssh daemon after every change in the config file.

Here you can find the script "pop_user_allow_ssh", which is also trying to generate a list of users.

You don't mention your OS, but that's how I did it on AIX. Hope this idea helps.

user1004848 · Answer 4 · 2017-09-28T09:21:06+0000

# Deny user1 from all hosts but host1
DenyUsers user1@!host1,*
# Allow all users from any host that are not denied yet
AllowUsers *@*

Sshd_config AllowUsers

More articles: