2

I have an sshd config that looks like this:

DenyUsers * AllowUsers root@* AllowUsers user1@* AllowUsers user2@*

The sshd docs state that "The allow/deny users directives are processed in the following order: DenyUsers, AllowUsers", and the intention here is that nobody should be allowed to use ssh apart from the 3 listed users.

However, this doesn't work: if any of these users tries to connect over ssh, the logs (systemctl status ssh) state that "User foo from a.b.c.d not allowed because listed in DenyUsers".

So, it looks like DenyUsers always has priority (I'm on OpenSSH_8.9p1, on Ubuntu 22.04).

Is there some way around this? I need to have some form of DenyUsers because configuration on this system is automated, and all 3 users could be denied access by commenting out their individual AllowUsers, which would give:

# AllowUsers root@* # AllowUsers user1@* # AllowUsers user2@*

The problem now is that everybody is allowed access, instead of nobody.

Improve this question

1 Answer 1

Reset to default
3

See this answer for a description of the unexpected way the four allow/deny directives work. The four directives are AllowUsers, AllowGroups, DenyUsers, and DenyGroups. The part of the answer that describes this is near the end because the question was about a slightly different topic (how the directives work within Match blocks).

The way to get the deny behavior you want is to specify who should enjoy access to the server in either AllowUsers or AllowGroups directives.

When I've used this, I followed the common Linux convention that every user account on the local server is created with a primary group that's named the same as the user. I.e., John Doe's account would be named johndoe and a group named johndoe would be created. People who should have access because of their job role (like Linux system admins) would have their accounts added to secondary functional groups like sysadmins. With this configuration the line:

AllowGroups sysadmins

would allow me (sottovoce) to ssh into the server because I'm in the sysadmin group. If I want someone to have access without being in a group, that account would be named in the same line:

AllowGroups sysadmins johndoe

Now, along with the sysadmins, John Doe is also allowed because he's a member of the johndoe group. Everyone else is denied.

I didn't use AllowUsers because that would block the sysadmin folks. Adding and removing sysadmin access would require changing the sshd_config file, which is more intrusive and sensitive than editing the /etc/group file. Managing access via group membership is better.

Improve this answer
2
  • If your reading of the code is right - and it sounds like it is - then I think they just didn't think it through. It's a mess; they should (a) document it, and (b) look at how Apache does it. Commented Jun 4, 2024 at 14:29
  • Something I noticed in testing: if you change my original AllowUsers user1@* line to AllowUsers user1, then user2 cannot log in. This looks pretty broken to me. Commented Jun 4, 2024 at 14:35

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.