Friday, May 3, 2024
Homepage · permissions
 Popular · Latest · Hot · Upcoming
1
rated 0 times [  1] [ 0]  / answers: 1 / hits: 6363  / 2 Years ago, thu, january 27, 2022, 3:19:58

Using OpenSSH, I have enabled ssh-login to my Ubuntu 18.04 machine, call it Remote and my user account on Remote is called Remote-User. I have also made sure that login is only possible by means of public-key authentication. Here comes the actual description of the problem.


I have two local machines, call them Local-A and Local-B, and each of them has one user, call them User-A and User-B, respectively. I would like to restrict access to Remote-User@Remote to only User-A and User-B and disallow other users, irrespective of whether their public key has been added to the .ssh/authorized_keys file of Remote-User@Remote. I tried doing so by adding the line


AllowUsers User-A User-B


to sshd_config but I noticed that User-B had ssh access to Remote-User@Remote even if I simply had


AllowUsers User-A


This makes me think that any user whose public-key has been added to Remote-User@Remote's .ssh/authorized_keys file will have access, irrespective of any restrictions I try to impose using AllowUsers.


I was wondering if anybody has any suggestions on how to tackle this. Bear in mind that I not well-versed in this domain so I might have omitted important information. If so, please let me know and I am happy to update this question.


More From » permissions
 Answers
1

The AllowUsers option in the /etc/ssh/sshd_config file is exactly what you need to accomplish user access restriction via ssh.


See the manpage for sshd_config:


AllowUsers

      This keyword can be followed by a list of user name patterns, separated by spaces.

      If specified, login is allowed only for user names that match one of the patterns.

      Only user names are valid; a numerical user ID is not recognized.  By default, login

      is allowed for all users.  If the pattern takes the form USER@HOST then USER and

      HOST are separately checked, restricting logins to particular users from particular

      hosts.  HOST criteria may additionally contain addresses to match in CIDR

      address/masklen format.  The allow/deny users directives are processed in the

      following order: DenyUsers, AllowUsers.

In order for the changes in sshd_config to take effect, you need to restart the sshd service with:


$ sudo systemctl restart ssh.service

If that still does not work, check the /etc/ssh/sshd_config.d folder for any additional configuration files, that overrule your AllowUsers statement.


[#2890] Friday, January 28, 2022, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
kilusy
Add To Favorites
Follow
Total Points: 171
Total Questions: 110
Total Answers: 128
Location: Cayman Islands
Member since Sat, Dec 5, 2020
3 Years ago
kilusy questions
Sat, Jan 15, 22, 04:45, 2 Years ago
Sun, Dec 18, 22, 08:50, 1 Year ago
Tue, May 2, 23, 23:46, 1 Year ago
Tue, Aug 10, 21, 16:38, 3 Years ago
Mon, Apr 11, 22, 08:39, 2 Years ago
View All
;