1

restricting root ssh access works perfect in centos 6 but using the same method fails on centos 7. what are we doing wrong? an interesting point is that in our centos 6s we have stated that only our defined user is permitted in sshd_config:

AllowUsers OurUser

and others are not permitted. but in centos 7s we have to permit root too. otherwise neither root nor our user is allowed to login. i have checked the sudoers file many times and it seems ok.

OurUser ALL=(ALL) NOPASSWD: ALL

any clues?

Al. V
  • 11
  • 3
  • 1
    What does `visudo -c` tell you? – Markus W Mahlberg Dec 26 '18 at 11:08
  • @MarkusWMahlberg just: parsed OK. – Al. V Dec 26 '18 at 12:26
  • 1
    @Al.V I may be missing something, but I don’t understand your point. If you can’t login with SSH, it must be related to your sshd config. But sshd does not look at the content of your /etc/sudoers file. What makes you think your problem is related to your sudoers file? – user2233709 Dec 26 '18 at 14:37

1 Answers1

1

I assume that your user has multiple matches, and the last one is the one which counts in sudoers file. Without having the full file available it is hard to verify if this is the case, but it is definitely worth checking.

For further details see: https://www.sudo.ws/man/1.8.13/sudoers.man.html

SUDOERS FILE FORMAT The sudoers file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match). The sudoers grammar will be described below in Extended Backus-Naur Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly simple, and the definitions below are annotated

hargut
  • 3,908
  • 7
  • 10
  • thanks. i have hundred-checked the files on both centos 6 and centos 7. the only different here is the line: PermitRootLogin no in centos 6 and PermitRootLogin yes in centos 7. in both versions AllowUser is set to OurUser. but this is the case. in centos 6 everything is ok. while in centos 7 if PermitRootLogin is set to no neither root nor OurUser are permitted! – Al. V Dec 26 '18 at 12:35
  • and i insist that we have been keen on sudoers coding standard. the line: OurUser ALL=(ALL) NOPASSWD: ALL is just the last line after the line: #includedir /etc/sudoers.d – Al. V Dec 26 '18 at 12:40