PDA

View Full Version : [ubuntu] SSHD_Config permission level



televisi
April 20th, 2009, 05:37 PM
Hi All,
I'm hoping this my new thread is a new beginning of my Linux life ;)

I've configured my ssh in my Ubuntu 8.04.2 server edition, SSH seems working fine.

According to the documentation (man sshd_config)

The allow/deny directives are proccessed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

Now, I do testing using different user and groups, for example:


- Group A
=> user A1
=> user A2

- Group B
=> user B1
=> user B2

- Group C
=> user C1


Now, I set /etc/sshd_config:
AllowUsers A1 B1 C1
AllowGroups A

What I noticed is user B1 C1 not allowed to login through SSH (after restart the service obviously), because user B1 & C1 not in AllowGroups, interesting eh?!

I also do some DEBUG1 testing and find out the permission level are as follow:
- AllowUsers => lowest (this setting will be overridden with higher levels)
- AllowGroups
- DenyGroups
- DenyUsers => highest

Do I miss something here?

Hospadar
April 20th, 2009, 06:44 PM
What if you change it to
AllowGroups A
AllowUsers A1 B1 C1

televisi
April 20th, 2009, 06:58 PM
Same thing, it gives me error:
User B1 from SERVER not allowed because none of user's groups are listed in AllowGroups

spiderbatdad
April 20th, 2009, 07:24 PM
sudo usermod -a -G B1 A
sudo usermod -a -G C1 A

or AllowGroups A B C

televisi
April 21st, 2009, 03:27 AM
Hi spiderbatdad,
I suspect by running above code (usermod), we include B1 & C1 to group A.

Will this make another issue though? especially in file permission? (ie: if I only want group A to RW to specific directory and other (group B/C) with R permission only)

Thanks

antikristian
April 21st, 2009, 04:22 AM
I usually only use AllowGroups D
Create a new group D and add the users I want to be able to use SSH to group D

The other group permitions still apply though, if User A1 is member of group A and D, and a folder is RO to group A, then A1 will only be able to read that folder.

If user B1 is member of A, B and D, and group B has RW of the same folder, user B1 will have RW access. And lastly, if C1 is member of group C and D, and group C has no read or write of that folder, C1 will not be able to open the folder.

televisi
April 21st, 2009, 07:25 AM
Hm... interesting workaround!!!

So...is anyone know why permission level are as follow:
- AllowUsers => lowest (this setting will be overridden with higher levels)
- AllowGroups
- DenyGroups
- DenyUsers => highest

Linux Manual error? (I don't think so...)

antikristian
April 23rd, 2009, 10:09 AM
According to the manpage it gets processed in this order:

The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.

This is similar to how tcpwrapper does it:

If you set hosts.allow to ALL: ALL and hosts.deny to mycomp: ALL, then mycomp, and all other computers will get access (I belive). But if you set hosts.deny to ALL: ALL and hosts.allow to mycomp: ALL, then only mycomp will get access.

All in all, it comes down to a choice done by the developers, and doing it the other way around would probably have its advantages.