0

I have an amazon linux 2

Suppose there is an

RDS(oracle) R1, R2

User U1,U2,U3

Group G1,G2

Group G1 has permit open for R1:1521

Group G2 has permit open for R2:1521

U1 is added to Group G1

U2 is added to Group G2

and U3 is added to both the Group G1,G2

My sshd_config file is

Match Group G1
 PermitOpen R1:1521
Match Group G2
 PermitOpen R2:1521
Match Group G1,G2
 PermitOpen R1:1521 R2:1521

It works for User U1 and U2 but it is not working for user U3 (it can access only R1 RDS)

Fawkes
  • 9
  • 3
  • `man sshd_config` says `If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.`. Could this be the reason? –  Oct 12 '20 at 11:54
  • @sitaram yeah as per the man i believe that is why it is happening like that, so can you please give any alternative solution for it.. i have searched and got it that it is possible to edit authorized_keys of the individual user and give the permit open, but i want to do it as a last resort. – Fawkes Oct 12 '20 at 15:09
  • From `If all of the criteria on the Match line are satisfied` I am guessing that `match G1,G2` counts as an AND condition, so simply moving it to the top (before the individual G1 and G2 matches) should work. But please test. Would appreciate a comment here if it works. –  Oct 13 '20 at 05:30
  • I had move up the match criteria of G1,G2 then the users of group G1 will also get the access of G2. meaning G1 and G2 can access R1 and R2 – Fawkes Oct 13 '20 at 20:08
  • not clear if "will also get" is to be taken literally, as in, you are supposing that it will, or that you have tried it and it actually did that. If the former, please try. If the latter, well I guess the phrase "all of the criteria" in the manpage is clearly wrong, and you may have to make a third group called G12 for those people who have both R1 and R2 access. Sorry I'm not in a position to actually try all this out and am just reading the manual. –  Oct 14 '20 at 01:58
  • i have tried everything as you have mentioned, still not working – Fawkes Oct 14 '20 at 15:47

1 Answers1

0

Technically it is not an anwer. it is more like a workaround (because i think it is the way sshd is built(at the time of answering the question))

I tried different kind of permutatuion and combination:

  1. Match Group G1
    PermitOpen R1:1521
    Match Group G2
    PermitOpen R2:1521
    Match Group G1,G2
    PermitOpen R1:1521 R2:1521

So i created G3 and added the groups G1 and G2 which becomes

  1. Match Group G1
    PermitOpen R1:1521
    Match Group G2
    PermitOpen R2:1521
    Match Group G3
    PermitOpen R1:1521 R2:1521

But still it didn't worked. it worked for G1 not for G2.

  1. Match Group G1
    PermitOpen R1:1521
    Match Group G2
    PermitOpen R2:1521
    Match Group G1,G2,G3
    PermitOpen R1:1521 R2:1521

But still it didn't worked. it worked for G1 not for G2.

  1. Match Group G1
    PermitOpen R1:1521
    Match Group G2
    PermitOpen R2:1521
    Match Group G3
    PermitOpen R1:1521 R2:1521

The G3 group has R1 and R2 and it worked.

I think the reason being for the working is because of below reason:

If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

Either the above can work or using permitopen in the authorized_keys

Fawkes
  • 9
  • 3