HPE Community
Operating System - Linux
1821060 Members
2584 Online
109631 Solutions
New Discussion юеВ

Allow only certain groups to ssh

 
yc_2
Regular Advisor

тАО03-27-2005 08:21 PM

тАО03-27-2005 08:21 PM

Allow only certain groups to ssh

Hi,

A simple script was written in the /etc/profile to verify whether the login account should be given a shell prompt for telnet service.

Is there a way to do this in ssh service?


Thanks in advance,
YC
0 Kudos
Reply
10 REPLIES 10
Chakravarthi
Trusted Contributor

тАО03-27-2005 09:56 PM

тАО03-27-2005 09:56 PM

Re: Allow only certain groups to ssh

hi,

check the following link!!

http://www.linuxjournal.com/article/6602

regards
chakri
0 Kudos
Reply
Slawomir Gora
Honored Contributor

тАО03-28-2005 05:19 AM

тАО03-28-2005 05:19 AM

Re: Allow only certain groups to ssh

Hi,

you can modify sshd config file:
/etc/ssh/sshd_config
and change parameters:
AllowGroup or AllowUsers

Look at: man sshd_config for details

Ps,
after changing you have to restart sshd deamon


0 Kudos
Reply
HGN
Honored Contributor

тАО03-28-2005 05:59 AM

тАО03-28-2005 05:59 AM

Re: Allow only certain groups to ssh

Hi

The file sshd_config (do a find / -name sshd_config to check the file location) edit that file & modify the parameters for AllowUsers & save it, restart the ssh daemon.

Rgds

HGN
0 Kudos
Reply
yc_2
Regular Advisor

тАО03-28-2005 01:47 PM

тАО03-28-2005 01:47 PM

Re: Allow only certain groups to ssh

I want to have a rule that:
(1) allow the whole of the developement group, deny all groups
(2) allow a few users not belong to the developement group.

I tried to put in the following in the ssd_config:
:
AllowGroups dev
AllowUsers abc
:

Non of the user in dev group can login as well as user abc.

AllowGroups and AllowUsers are mutually exclusive.

Any idea or pointer to achieve the rule?


0 Kudos
Reply
kcpant
Trusted Contributor

тАО03-28-2005 03:54 PM

тАО03-28-2005 03:54 PM

Re: Allow only certain groups to ssh

Hi Leong,

Are you able to ssh without using these parameters? first try to check the by-default behaviour of ssh configuration, by removing the allowuser and allowgroup lines you have added. if you are not able to ssh even after removing the lines, there is some other problem.
PreSales Specialist
0 Kudos
Reply
yc_2
Regular Advisor

тАО03-28-2005 04:32 PM

тАО03-28-2005 04:32 PM

Re: Allow only certain groups to ssh

Tested no problem if AllowGroups and AllowUsers are removed.

Tested no problem with only AllowGroups is inserted.

Tested no problem with only AllowUsers is inserted.

Tested not working if both AllowGroups and AllowUsers are inserted together.
0 Kudos
Reply
yc_2
Regular Advisor

тАО03-28-2005 04:33 PM

тАО03-28-2005 04:33 PM

Re: Allow only certain groups to ssh

Tested no problem if AllowGroups and AllowUsers are removed.

Tested no problem with only AllowGroups is inserted.

Tested no problem with only AllowUsers is inserted.

If both AllowGroups and AllowUsers are inserted together. No one can login using ssh.
0 Kudos
Reply
kcpant
Trusted Contributor

тАО03-29-2005 06:21 PM

тАО03-29-2005 06:21 PM

Re: Allow only certain groups to ssh

Hi Leon,

I'm not very sure, but I think if you use both credentials, it makes an AND rule ( both conditions must match, means, the user must be of the group you allowed). Again, right now I do not have any Linux box around me to test it, so not very sure about it.
PreSales Specialist
0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО03-29-2005 06:41 PM

тАО03-29-2005 06:41 PM

Re: Allow only certain groups to ssh

The following pseudo code described access control in ssh implemented using AllowUsers and AllowGroups.

if user in denyusers
deny
if #allowusers > 0 and user not in allowusers
deny
if user group in deny groups
deny
if #allowgroups > 0 and user group not in allowgroups
deny

So you can use either AllowUsers or AllowGroups but not both.

Perphaps you can use AllowGroups only. For users that are not part of the groups specified in AllowGroups, put them in a separate group (e.g. ssh_allow) and specify that group (ssh_allow) on the AllowGroups line.
0 Kudos
Reply
W Sanders_1
Frequent Advisor

тАО03-31-2005 05:14 AM

тАО03-31-2005 05:14 AM

Re: Allow only certain groups to ssh

What not just set the shell to /bin/false?

If you need a login that just runs a particular command, I've always used smrsh. Not a panacea, but it is useful sometimes.

Or just make a copy of bash, make its permissions 750, set up a group with the approved users, and set their login shell to the copy of bash?
"There is no truth to the rumor that all employees are going to be required to have lobotomies ... at least at the prices we were quoted" -Dilbert
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.