Re: AllowUser, DenyUser don't work.
- From: Kamchybek Jusupov <kj.synack@xxxxxxxxx>
- Date: Wed, 31 Jan 2007 13:23:36 +0800
Hi MCG,
As per the section below, if you have "DenyUsers root", it will be
effective, even if you add "AllowUsers root@host"...
As for your situation, maybe this will be useful (from
PermitRootLogin section, man sshd_config):
---
If this option is set to ``forced-commands-only'', root login with
public key authentication will
be allowed, but only if the command option has been
specified (which may be useful for taking
remote backups even if root login is normally not
allowed). All other authentication methods are
disabled for root.
---
So, you'll need "public key authentication" and "PermitRootLogin no".
---
The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.
---
On Wed, 31 Jan 2007 13:08:23 +0800 / MCG ZHUANG Liang wrote:
With a subject: RE: AllowUser, DenyUser don't work.
Hello Kamchybek,
Thanks a lot for your advice, but from the manual, did you notice this
line:
==The allow/deny directives are processedi n the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.==
According to this, my understanding is that I can deny root from
anywhere and then only permit root from 192.17.0.0 by the following 2
lines in the conf file:
But it failed.DenyUsers root
AllowUsers root@xxxxxxx*
As for the reason that I AllowUsers root@xxxxxxx*, we have several
blades cooperate in such small local internal network, and we need:
ssh root@blade1 exec some cmd
so any other ideas to settle this contradiction?
Regards,
Zhuang Liang.
-----Original Message-----all
From: Kamchybek Jusupov [mailto:kj.synack@xxxxxxxxx]
Sent: Wednesday, January 31, 2007 12:35
To: MCG ZHUANG Liang
Cc: secureshell@xxxxxxxxxxxxxxxxx
Subject: Re: AllowUser, DenyUser don't work.
Hi MCG,
Don't know the reason why you want to enable remote root logins, but:
man sshd_config says:
---
AllowUsers
This keyword can be followed by a list of user name
patterns, separated by spa- ces. If specified, login is allowed only
for user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST then
USER and HOST are separately checked, restricting logins to
particular users from particular hosts. The allow/deny directives
are processed in the following order: DenyUsers, AllowUsers,
DenyGroups, and finally AllowGroups.
---
So, if you have "DenyUsers root" that's it - no root logins...
Better would be setup:
PermitRootLogin no
AllowUsers normaluserid
Get some help from "su -" and/or "sudo "
PS: Use ssh -vvv to get more debug messages...
On Tue, 30 Jan 2007 16:29:13 +0800 / MCG ZHUANG Liang wrote:
With a subject: AllowUser, DenyUser don't work.
Hello,
I try to restrict some kind of login through AllowUser and DenyUser
but failed.
openssh version: 4.5
What I want: disable root login from network outside 192.17.0.0
What I wrote into /etc/ssh/sshd_config
***************************
DenyUsers root
AllowUsers root@xxxxxxx*
***************************
However, after that not only root can not login from anywhere, but
the other accounts are also disabled
Anything I did wrong?
Regards,
Zhuang Liang.
.
--
Rgds,
Kamchybek Jusupov
Attitude is no substitude for competence...
GPG Key: C565 2827 0858 ECFE 74D7 A556 7B09 59DA B6C8 FF8C
--
Rgds,
Kamchybek Jusupov
Attitude is no substitude for competence...
GPG Key: C565 2827 0858 ECFE 74D7 A556 7B09 59DA B6C8 FF8C
- Prev by Date: Re: AllowUser, DenyUser don't work.
- Next by Date: Re: AllowUser, DenyUser don't work.
- Previous by thread: Re: AllowUser, DenyUser don't work.
- Next by thread: Carriage return character added automatically
- Index(es):
Relevant Pages
|
