2

I have got two groups in sshd_config:

    AllowGroups sftpusers sshusers

And I have two groups below subsystem sftp /usr/lib/openssh/sftp-server:

    Match Group sftpusers,!sshusers
    ForceCommand internal-sftp
    ChrootDirectory %h
    AuthorizedKeysFile %h/.ssh/authorized_keys
    AllowTcpForwarding no

So my intention is to allow all users within sftpusers group to use sftp, and all users within sshusers group are denied from using sftp.

But this Match Group restriction does not work. After reloading the ssh server, users from sshusers group still can login via sftp, which I do not want.

Indeed the Match Group has no function at all. No matter how I configure this line, the sshd service does not pay attention to it. I'm running Debian v7.6 amd64 with grsecurity hardened kernel on a DELL PowerEdge R720 dedicated server.

Mister natZONE
  • 21
  • 1
  • 3
  • Have you tried running sshd in debug mode to get some feedback about the matching that is performed? – Felix Frank Aug 08 '14 at 09:39
  • The trouble, I don't want to lose connection from my server which is located some serveral hundres miles away from home. A single sshd-debug-session says: Set /proc/self/oom_score_adj from -1000 to -1000 debug1: Bind to port 22 on 0.0.0.0. Bind to port 22 on 0.0.0.0 failed: Address already in use. debug1: Bind to port 22 on ::. Bind to port 22 on :: failed: Address already in use. Cannot bind any address. – Mister natZONE Aug 08 '14 at 09:51
  • 1
    Start a separate instance of SSH on a different port and keep that one open while you debug. – Jenny D Aug 08 '14 at 10:03
  • I did and succeeded. But there were no enlightening debugging messages during debug session on alternative port 2222 after starting /usr/sbin/sshd -p 2222 -D -d -e. – Mister natZONE Aug 08 '14 at 10:20
  • Multiple -d options increase the debugging level. Maximum is 3. – Felix Frank Aug 08 '14 at 12:17
  • I'll give it a try, but it comes even more weird as yet: even if I comment out the subsystem sftp /usr/lib/openssh/sftp-server, all users can still login into the system! I cannot block them from within sshd_config unless I erase their groups from AllowGroups. So it's quite evident the ssh daemon pays absolutely no particular attention regarding any statements below the subsystem sftp /usr/lib/openssh/sftp-server directive. – Mister natZONE Aug 08 '14 at 12:52
  • Well, I think the penny is just beginning to drop: it's definiteley not possible to exclude ssh users from sftp use. Anyone with a real login shell and who can login via ssh automatically is entitled to use sftp. With OpenSSH, it's not otherwise provided. You may manage it vice versa: you may block sftp users from using ssh login, but you cannot block ssh users from using sftp. OpenSSH manages it only one way. – Mister natZONE Aug 08 '14 at 14:52
  • @MisternatZONE I think your match group line is working, but it only applies to sftpusers and doesn't have any affect on sshusers. The entire remainder of the sshd_config file still applies to sshusers, and the entire remainder of sshd_config normally allows users to run sftp. If you want help blocking certain users from using sftp, then maybe you should ask a question about that. – Kenster Aug 10 '14 at 13:12

0 Answers0