Re: AllowUser, DenyUser don't work.



Hi MCG,

As per the section below, if you have "DenyUsers root", it will be
effective, even if you add "AllowUsers root@host"...

As for your situation, maybe this will be useful (from
PermitRootLogin section, man sshd_config):

---
If this option is set to ``forced-commands-only'', root login with
public key authentication will
be allowed, but only if the command option has been
specified (which may be useful for taking
remote backups even if root login is normally not
allowed). All other authentication methods are
disabled for root.
---

So, you'll need "public key authentication" and "PermitRootLogin no".




---
The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.
---



On Wed, 31 Jan 2007 13:08:23 +0800 / MCG ZHUANG Liang wrote:
With a subject: RE: AllowUser, DenyUser don't work.

Hello Kamchybek,
Thanks a lot for your advice, but from the manual, did you notice this
line:
==The allow/deny directives are processedi n the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.==

According to this, my understanding is that I can deny root from
anywhere and then only permit root from 192.17.0.0 by the following 2
lines in the conf file:
DenyUsers root
AllowUsers root@xxxxxxx*
But it failed.

As for the reason that I AllowUsers root@xxxxxxx*, we have several
blades cooperate in such small local internal network, and we need:
ssh root@blade1 exec some cmd

so any other ideas to settle this contradiction?

Regards,
Zhuang Liang.

-----Original Message-----
From: Kamchybek Jusupov [mailto:kj.synack@xxxxxxxxx]
Sent: Wednesday, January 31, 2007 12:35
To: MCG ZHUANG Liang
Cc: secureshell@xxxxxxxxxxxxxxxxx
Subject: Re: AllowUser, DenyUser don't work.

Hi MCG,

Don't know the reason why you want to enable remote root logins, but:

man sshd_config says:
---
AllowUsers
This keyword can be followed by a list of user name
patterns, separated by spa- ces. If specified, login is allowed only
for user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST then
USER and HOST are separately checked, restricting logins to
particular users from particular hosts. The allow/deny directives
are processed in the following order: DenyUsers, AllowUsers,
DenyGroups, and finally AllowGroups.
---

So, if you have "DenyUsers root" that's it - no root logins...


Better would be setup:
PermitRootLogin no
AllowUsers normaluserid

Get some help from "su -" and/or "sudo "


PS: Use ssh -vvv to get more debug messages...



On Tue, 30 Jan 2007 16:29:13 +0800 / MCG ZHUANG Liang wrote:
With a subject: AllowUser, DenyUser don't work.

Hello,
I try to restrict some kind of login through AllowUser and DenyUser
but failed.
openssh version: 4.5
What I want: disable root login from network outside 192.17.0.0
What I wrote into /etc/ssh/sshd_config
***************************
DenyUsers root
AllowUsers root@xxxxxxx*
***************************
However, after that not only root can not login from anywhere, but
all
the other accounts are also disabled

Anything I did wrong?

Regards,
Zhuang Liang.





.



--
Rgds,
Kamchybek Jusupov

Attitude is no substitude for competence...
GPG Key: C565 2827 0858 ECFE 74D7 A556 7B09 59DA B6C8 FF8C


--
Rgds,
Kamchybek Jusupov

Attitude is no substitude for competence...
GPG Key: C565 2827 0858 ECFE 74D7 A556 7B09 59DA B6C8 FF8C



Relevant Pages

  • Re: AllowUser, DenyUser dont work.
    ... disable root login from network outside 192.17.0.0 ... you don't need the DenyUsers line. ... If you specify AllowUsers then ...
    (SSH)
  • Re: AllowUser, DenyUser dont work.
    ... If specified, login is allowed only ... DenyUsers, AllowUsers, DenyGroups, and finally ... if you have "DenyUsers root" that's it - no root logins... ...
    (SSH)
  • RE: AllowUser, DenyUser dont work.
    ... Subject: AllowUser, DenyUser don't work. ... disable root login from network outside 192.17.0.0 What ... AllowUsers you@thehostyourecomingfrom ...
    (SSH)
  • Re: root trying to ssh but being denied
    ... > listed in AllowUsers ... If it were root from ... It's a script kiddie having found that your IP ... is to move the SSH server to another port. ...
    (comp.os.linux.security)
  • Re: AllowUsers issue
    ... >> I think you'll find that'll stop any users matching the DenyUsers pattern ... >> You only need AllowUsers; if set then users not matching it (or ... login with root any longer but could with the user. ...
    (SSH)