RE: restricted users

From: James Riden (james.riden@xtra.co.nz)
Date: 02/27/03

  • Next message: Greg Wooledge: "Re: restricted users"
    From: "James Riden" <james.riden@xtra.co.nz>
    To: "'Hong Tian'" <htian@ias.edu>, <secureshell@securityfocus.com>
    Date: Thu, 27 Feb 2003 15:10:09 +1300
    
    

    Hong,

    Here's an entry from the manpage.

    AllowUsers

    This keyword can be followed by a list of user name patterns,
    separated by spaces. If specified, login is allowed only for
    users names that match one of the patterns. `*' and `'? can be
    used as wildcards in the patterns. Only user names are valid; a
    numerical user ID is not recognized. By default, login is
    allowed for all users. If the pattern takes the form USER@HOST
    then USER and HOST are separately checked, restricting logins to
    particular users from particular hosts.

    So,

    AllowUsers jamesr

    in the config file *should* (seems to on Debian) allow jamesr and
    no-one else to log in via ssh.

    Cheers,
     Jamie

    -- 
    James Riden / james.riden@xtra.co.nz / jamesr@security-solutions.co.nz
    http://www.security-solutions.co.nz/
    -----Original Message-----
    From: Hong Tian [mailto:htian@ias.edu] 
    Sent: Thursday, 27 February 2003 1:51 p.m.
    To: 'secureshell@securityfocus.com'
    Subject: FW: restricted users
    Jamie,
    On my RedHat 7.3, there is no manual entry for sshd_config. But I try
    AllowUsers and DenyUsers. It works good. 
    The question now is that I have to deny more than 200 users and allow 10
    users. I can't put so many users names on deny lists in sshd_config. I
    try
    to deny everyone then allow someone. But I don't know how to deny all. I
    try
    the followings, no one can deny all:
    DenyUsers all                  => not works
    DenyUsers ALL                  => not works
    DenyUsers everyone             => not works 
    DenyUsers user1                 => works!
    AllowUsers user2 user3 user4    => works!
    Do you know how to use DenyUsers to deny everyone?
    Thanks,
    Hong
    


    Relevant Pages

    • Re: Problem with AllowUsers?
      ... >> AllowUsers esw, sidekick ... login is allowed only for ... > wildcards in the patterns. ... AllowUsers line, so I didn't think to look in the man pages. ...
      (SSH)
    • Re: ssh password problem
      ... using rsa public keys. ... This keyword can be followed by a list of user name patterns, ... Login is disallowed for user names that ... The allow/deny directives are processed in the following ...
      (Fedora)
    • Re: sshd attacks
      ... starts trying a user dictionary attack on sshd? ... ssh allows you to specify which users may login and you may further restrict it to a particular user from a particular host. ... This keyword can be followed by a list of user name patterns, ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Disable ssh access to some users
      ... This keyword can be followed by a list of user name patterns, ... login is allowed for all users. ... if you're using PAM you could use pam_listfile in your PAM ... Good judgement comes with experience. ...
      (SSH)
    • Re: Problem with AllowUsers?
      ... > AllowUsers esw, sidekick ... You can't separate users with comma, ... This keyword can be followed by a list of user name patterns, ... login is allowed only for ...
      (SSH)