38

I'm trying to modify /etc/ssh/sshd_config on my dedicated debian7 server with both AllowUsers and AllowGroups. However I can't seem get both to work together.

The Setup

  • There's a user called testuser.

  • That user is in a group called ssh-users: 

    $ groups testuser
testuser : testuser ssh-users

  • testuser is trying to connect via ssh testuser@<server_ip> and entering their password.

  • My sshd_config can be found here: http://pastebin.com/iZvVDFKL - I think basically the only changes I made from default was:
    • to set PermitRootLogin no
    • and add two users with AllowUsers (actual usernames differ on my server)
  • service ssh restart is run each time after modifying sshd_config.

The Problem

  • testuser can connect when set with AllowUsers:

    AllowUsers user1 user2 testuser

  • testuser can NOT connect when setting AllowGroups for its group:

    AllowUsers user1 user2
AllowGroups ssh-users

    which results in Permission denied, please try again. when testuser enters their password in the ssh password prompt.

The Question

  • Does AllowUsers override AllowGroups?
  • What's the best way to fix this without manually adding the username to AllowUsers? Ideally I'd like to be able to just add users to the ssh-users group in the future without having to touch sshd_config again.
StackzOfZtuff
  • 1,842
  • 13
  • 21
Johannes
  • 483
  • 1
  • 4
  • 9
  • 5
    `Ideally I'd like to be able to just add users to the ssh-users group in the future without having to touch sshd_config again.` - So why are you using AllowUsers at all? Just put everyone in the group/groups. – Zoredache Jul 31 '14 at 23:42

6 Answers6

35

Yes, AllowUsers takes precedent over AllowGroups. If specified, only the users that match the pattern specified in AllowUsers may connect to the SSHD instance.

According to sshd_config manpage:

The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

So, the solution to your problem is probably to use one or the other, possibly the group access directives if groups are your preferred way to manage users.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
Jeff-Inventor ChromeOS
  • 476
  • 4
  • 4
  • So would just having `AllowGroups user1 user2 ssh-users` work? I'd prefer your confirmation before testing it since I've had it happen before where I accidentally removed my own ssh priviledges and had to go through support to fix it. How about the `Match` block? I'm asking for advice there since although I've looked at the man page, I don't have the intuition/experience to know how it would work in practice. For example with the order of processing I figured, since AllowGroups comes after AllowUsers, it would override it when processed, but my intuition was wrong there :) – Johannes Aug 01 '14 at 00:34
  • 2
    If all 3 of those are groups on your system, it should work. If user1 and user2 are just users, you can add them to ssh-users, and get by with AllowGroups ssh-users. – Jeff-Inventor ChromeOS Aug 01 '14 at 02:22
  • 1
    @Johannes when you test such thing, juste make sure you have a shell opened on the machine. Restarting sshd wont break your session, and if you cant open a new one, you can fix your mess with the existing one. – Jean-Bernard Jansen Jul 11 '18 at 10:40
  • 1
    It's funny that only EL {7,8}'s `man 5 sshd_config` contain the complete processing order. All other distros (I use): Fedora 32, Arch and Ubuntu 20.04 LTS follow OpenSSH upstream docs in which only Deny before Allow is explained but not Users matches are processed before Groups. FYI. – Terry Wang May 07 '20 at 00:02
  • @Jeff-InventorChromeOS In other words: If you want to allow groups, you _must not_ also allow particular users? – stackprotector Apr 11 '22 at 10:13
  • It doesn't takes precedence - both rules are applied. If a user is in `AllowUsers` and `AllowGroups` is present without containing one of the user's groups they will still be denied access. (If the `AllowGroups` / `AllowUsers` are present only users matching all of that criteria can login - one does not override the other one, both are applied. – Gert van den Berg Oct 19 '22 at 09:07
16

Here is a solution we have found working:

AllowUsers user1 user2
Match group ssh-users
    AllowUsers *
vimja
  • 161
  • 1
  • 2
7

Jeff's answer covers the specifics of the question as detailed, but I found this question looking to use AllowUsers and AllowGroups in a slightly different scenario. I wanted to restrict incoming connections to users in a group (ssh) coming from specific subnets.

The connection rules in sshd_config are a filter - as each additional rule is applied, the set of acceptable users can only be reduced. PATTERNS in ssh_config(5) explain the form of those rules.

Additionally, according to the AllowUsers section of sshd_config:

If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format.

AllowGroups doesn't accept the USER@HOST form.

So, to accept users 1) in the ssh group and 2) from specific subnets/hosts:

AllowUsers *@192.168.1.0/24 *@*.example.com *@1.2.3.4
AllowGroups ssh
bjacobowski
  • 171
  • 1
  • 2
  • 1
    `AllowGroups doesn't accept the USER@HOST form. ` Not sure what you mean by this, and is certainly not what the config file or docs say. Allow Groups definitely does allow you to login using ssh username@example.com. – AndrewD Dec 11 '17 at 15:59
  • 2
    @AndrewD AllowGroups only accepts group names - e.g. you cannot do `AllowGroups ssh@example.com`. HOST is the source, where you're sshing from. – bjacobowski Jan 17 '18 at 20:45
  • @bjacobowski AndrewD seems to be right. You can use `AllowGroups groupname@example.com` to allow users of an AD group to SSH into a machine (that is domain joined). – stackprotector Apr 11 '22 at 10:23
  • @stackprotector But it has not the same meaning as the `USER@HOST` form from AllowUsers. For an AD group, the `@domain` is part of the group name, completely ignored by `sshd`. It's the NSS library (winbind or other) working with AD that will do something with the domain part. – Ale Dec 07 '22 at 13:35
2

I did a test on RedHat 8.1. It seems that it's more complicated.

AllowUsers user1 user2
AllowGroups ssh-users

If user1 and user2 is not in ssh-users group, then

  1. user1 or user2 can NOT ssh login.
  2. users in ssh-users group can NOT ssh login either!

The thing is if both AllowUsers and AllowGroups are used, then only the intersection of them is able to ssh login. It's kind of weird but actually make sense.

hajimuz
  • 121
  • 3
1

In a Firewall the rules are checked in order until you find a positive match, and then the connection is allowed, in other case is denied.

In sshd_config all the rules are checked, if the origin matches two or three conditions and in one of them is NOT allowed it doesn't have access.

In this example I'm admin:

My sshd_config:

AllowUsers  admin
Match Address IP1, IP2, IP3, MyIP
 AllowUsers user1
 ChrootDirectory %h

MyIP is in the second Section, so I can't login.

I have to delete MyIp from the second section.

If I add my User in the second section I'll be restricted by ChrootDirectory

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Cristian Solervicens
  • 11
  • 2
1

As stated by @hajimuz - if both directives are defined, i.e. AllowUsers and AllowGroups, both criteria must be met by user who tries to login.
So user name must be part of AllowUsers and his group must be part of AllowGroups. This is logical AND, not OR.

Mentioned by @Jeff-Inventor ChromeOS order of processing directives is no longer in man for sshd_config since OpenSSH 8.2:

Finally - if one would like to mix AllowUsers and AllowGroups, option suggested by @vimja works flawlessly.

petee
  • 31
  • 2