topic Re: Allow only certain groups to ssh in Operating System - Linux

Allow only certain groups to ssh

yc_2 — Mon, 28 Mar 2005 04:21:26 GMT

Hi,

A simple script was written in the /etc/profile to verify whether the login account should be given a shell prompt for telnet service.

Is there a way to do this in ssh service?

Thanks in advance,
YC

Re: Allow only certain groups to ssh

Chakravarthi — Mon, 28 Mar 2005 05:56:27 GMT

hi,

check the following link!!

http://www.linuxjournal.com/article/6602

regards
chakri

Re: Allow only certain groups to ssh

Slawomir Gora — Mon, 28 Mar 2005 13:19:22 GMT

Hi,

you can modify sshd config file:
/etc/ssh/sshd_config
and change parameters:
AllowGroup or AllowUsers

Look at: man sshd_config for details

Ps,
after changing you have to restart sshd deamon

Re: Allow only certain groups to ssh

HGN — Mon, 28 Mar 2005 13:59:20 GMT

Hi

The file sshd_config (do a find / -name sshd_config to check the file location) edit that file & modify the parameters for AllowUsers & save it, restart the ssh daemon.

Rgds

HGN

Re: Allow only certain groups to ssh

yc_2 — Mon, 28 Mar 2005 21:47:03 GMT

I want to have a rule that:
(1) allow the whole of the developement group, deny all groups
(2) allow a few users not belong to the developement group.

I tried to put in the following in the ssd_config:
:
AllowGroups dev
AllowUsers abc
:

Non of the user in dev group can login as well as user abc.

AllowGroups and AllowUsers are mutually exclusive.

Any idea or pointer to achieve the rule?

Re: Allow only certain groups to ssh

kcpant — Mon, 28 Mar 2005 23:54:07 GMT

Hi Leong,

Are you able to ssh without using these parameters? first try to check the by-default behaviour of ssh configuration, by removing the allowuser and allowgroup lines you have added. if you are not able to ssh even after removing the lines, there is some other problem.

Re: Allow only certain groups to ssh

yc_2 — Tue, 29 Mar 2005 00:32:54 GMT

Tested no problem if AllowGroups and AllowUsers are removed.

Tested no problem with only AllowGroups is inserted.

Tested no problem with only AllowUsers is inserted.

Tested not working if both AllowGroups and AllowUsers are inserted together.

Re: Allow only certain groups to ssh

yc_2 — Tue, 29 Mar 2005 00:33:45 GMT

Tested no problem if AllowGroups and AllowUsers are removed.

Tested no problem with only AllowGroups is inserted.

Tested no problem with only AllowUsers is inserted.

If both AllowGroups and AllowUsers are inserted together. No one can login using ssh.

Re: Allow only certain groups to ssh

kcpant — Wed, 30 Mar 2005 02:21:15 GMT

Hi Leon,

I'm not very sure, but I think if you use both credentials, it makes an AND rule ( both conditions must match, means, the user must be of the group you allowed). Again, right now I do not have any Linux box around me to test it, so not very sure about it.

Re: Allow only certain groups to ssh

Ermin Borovac — Wed, 30 Mar 2005 02:41:37 GMT

The following pseudo code described access control in ssh implemented using AllowUsers and AllowGroups.

if user in denyusers
deny
if #allowusers > 0 and user not in allowusers
deny
if user group in deny groups
deny
if #allowgroups > 0 and user group not in allowgroups
deny

So you can use either AllowUsers or AllowGroups but not both.

Perphaps you can use AllowGroups only. For users that are not part of the groups specified in AllowGroups, put them in a separate group (e.g. ssh_allow) and specify that group (ssh_allow) on the AllowGroups line.

Re: Allow only certain groups to ssh

W Sanders_1 — Thu, 31 Mar 2005 13:14:52 GMT

What not just set the shell to /bin/false?

If you need a login that just runs a particular command, I've always used smrsh. Not a panacea, but it is useful sometimes.

Or just make a copy of bash, make its permissions 750, set up a group with the approved users, and set their login shell to the copy of bash?