mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-13 22:30:37 +08:00
301 lines
9.9 KiB
Markdown
301 lines
9.9 KiB
Markdown
|
[#]: collector: (lujun9972)
|
|||
|
[#]: translator: ( )
|
|||
|
[#]: reviewer: ( )
|
|||
|
[#]: publisher: ( )
|
|||
|
[#]: url: ( )
|
|||
|
[#]: subject: (How To Enable Or Disable SSH Access For A Particular User Or Group In Linux?)
|
|||
|
[#]: via: (https://www.2daygeek.com/allow-deny-enable-disable-ssh-access-user-group-in-linux/)
|
|||
|
[#]: author: (2daygeek http://www.2daygeek.com/author/2daygeek/)
|
|||
|
|
|||
|
How To Enable Or Disable SSH Access For A Particular User Or Group In Linux?
|
|||
|
======
|
|||
|
|
|||
|
As per your organization standard policy, you may need to allow only the list of users that are allowed to access the Linux system.
|
|||
|
|
|||
|
Or you may need to allow only few groups, which are allowed to access the Linux system.
|
|||
|
|
|||
|
How to achieve this? What is the best way? How to achieve this in a simple way?
|
|||
|
|
|||
|
Yes, there are many ways are available to perform this.
|
|||
|
|
|||
|
However, we need to go with simple and easy method.
|
|||
|
|
|||
|
If so, it can be done by making the necessary changes in `/etc/ssh/sshd_config` file.
|
|||
|
|
|||
|
In this article we will show you, how to perform this in details.
|
|||
|
|
|||
|
Why are we doing this? due to security reason. Navigate to the following URL to know more about **[openSSH][1]** usage.
|
|||
|
|
|||
|
### What Is SSH?
|
|||
|
|
|||
|
openssh stands for OpenBSD Secure Shell. Secure Shell (ssh) is a free open source networking tool which allow us to access remote system over an unsecured network using Secure Shell (SSH) protocol.
|
|||
|
|
|||
|
It’s a client-server architecture. It handles user authentication, encryption, transferring files between computers and tunneling.
|
|||
|
|
|||
|
These can be accomplished via traditional tools such as telnet or rcp, these are insecure and use transfer password in cleartext format while performing any action.
|
|||
|
|
|||
|
### How To Allow A User To Access SSH In Linux?
|
|||
|
|
|||
|
We can allow/enable the ssh access for a particular user or list of the users using the following method.
|
|||
|
|
|||
|
If you would like to allow more than one user then you have to add the users with space in the same line.
|
|||
|
|
|||
|
To do so, just append the following value into `/etc/ssh/sshd_config` file. In this example, we are going to allow ssh access for `user3`.
|
|||
|
|
|||
|
```
|
|||
|
# echo "AllowUsers user3" >> /etc/ssh/sshd_config
|
|||
|
```
|
|||
|
|
|||
|
You can double check this by running the following command.
|
|||
|
|
|||
|
```
|
|||
|
# cat /etc/ssh/sshd_config | grep -i allowusers
|
|||
|
AllowUsers user3
|
|||
|
```
|
|||
|
|
|||
|
That’s it. Just bounce the ssh service and see the magic.
|
|||
|
|
|||
|
```
|
|||
|
# systemctl restart sshd
|
|||
|
|
|||
|
# service restart sshd
|
|||
|
```
|
|||
|
|
|||
|
Simple open a new terminal or session and try to access the Linux system with different user. Yes, `user2` isn’t allowed for SSH login and will be getting an error message as shown below.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
Permission denied, please try again.
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 02:00:35 CentOS7 sshd[4900]: User user2 from 192.168.1.6 not allowed because not listed in AllowUsers
|
|||
|
Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user user2 [preauth]
|
|||
|
Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (user2)
|
|||
|
Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user2
|
|||
|
Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user user2 from 192.168.1.6 port 42568 ssh2
|
|||
|
```
|
|||
|
|
|||
|
At the same time `user3` is allowed to login into the system because it’s in allowed users list.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
[[email protected] ~]$
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for user3 from 192.168.1.6 port 42590 ssh2
|
|||
|
Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user user3 by (uid=0)
|
|||
|
```
|
|||
|
|
|||
|
### How To Deny Users To Access SSH In Linux?
|
|||
|
|
|||
|
We can deny/disable the ssh access for a particular user or list of the users using the following method.
|
|||
|
|
|||
|
If you would like to disable more than one user then you have to add the users with space in the same line.
|
|||
|
|
|||
|
To do so, just append the following value into `/etc/ssh/sshd_config` file. In this example, we are going to disable ssh access for `user1`.
|
|||
|
|
|||
|
```
|
|||
|
# echo "DenyUsers user1" >> /etc/ssh/sshd_config
|
|||
|
```
|
|||
|
|
|||
|
You can double check this by running the following command.
|
|||
|
|
|||
|
```
|
|||
|
# cat /etc/ssh/sshd_config | grep -i denyusers
|
|||
|
DenyUsers user1
|
|||
|
```
|
|||
|
|
|||
|
That’s it. Just bounce the ssh service and see the magic.
|
|||
|
|
|||
|
```
|
|||
|
# systemctl restart sshd
|
|||
|
|
|||
|
# service restart sshd
|
|||
|
```
|
|||
|
|
|||
|
Simple open a new terminal or session and try to access the Linux system with Deny user. Yes, `user1` is in denyusers list. So, you will be getting an error message as shown below when you are try to login.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
Permission denied, please try again.
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 01:53:42 CentOS7 sshd[4753]: User user1 from 192.168.1.6 not allowed because listed in DenyUsers
|
|||
|
Mar 29 01:53:42 CentOS7 sshd[4753]: input_userauth_request: invalid user user1 [preauth]
|
|||
|
Mar 29 01:53:46 CentOS7 unix_chkpwd[4755]: password check failed for user (user1)
|
|||
|
Mar 29 01:53:46 CentOS7 sshd[4753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user1
|
|||
|
Mar 29 01:53:48 CentOS7 sshd[4753]: Failed password for invalid user user1 from 192.168.1.6 port 42522 ssh2
|
|||
|
```
|
|||
|
|
|||
|
### How To Allow Groups To Access SSH In Linux?
|
|||
|
|
|||
|
We can allow/enable the ssh access for a particular group or groups using the following method.
|
|||
|
|
|||
|
If you would like to allow more than one group then you have to add the groups with space in the same line.
|
|||
|
|
|||
|
To do so, just append the following value into `/etc/ssh/sshd_config` file. In this example, we are going to disable ssh access for `2g-admin` group.
|
|||
|
|
|||
|
```
|
|||
|
# echo "AllowGroups 2g-admin" >> /etc/ssh/sshd_config
|
|||
|
```
|
|||
|
|
|||
|
You can double check this by running the following command.
|
|||
|
|
|||
|
```
|
|||
|
# cat /etc/ssh/sshd_config | grep -i allowgroups
|
|||
|
AllowGroups 2g-admin
|
|||
|
```
|
|||
|
|
|||
|
Run the following command to know the list of the users are belongs to this group.
|
|||
|
|
|||
|
```
|
|||
|
# getent group 2g-admin
|
|||
|
2g-admin:x:1005:user1,user2,user3
|
|||
|
```
|
|||
|
|
|||
|
That’s it. Just bounce the ssh service and see the magic.
|
|||
|
|
|||
|
```
|
|||
|
# systemctl restart sshd
|
|||
|
|
|||
|
# service restart sshd
|
|||
|
```
|
|||
|
|
|||
|
Yes, `user3` is allowed to login into the system because user3 is belongs to `2g-admin` group.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
[[email protected] ~]$
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 02:10:21 CentOS7 sshd[5165]: Accepted password for user1 from 192.168.1.6 port 42640 ssh2
|
|||
|
Mar 29 02:10:22 CentOS7 sshd[5165]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
|
|||
|
```
|
|||
|
|
|||
|
Yes, `user2` is allowed to login into the system because user2 is belongs to `2g-admin` group.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
[[email protected] ~]$
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 02:10:38 CentOS7 sshd[5225]: Accepted password for user2 from 192.168.1.6 port 42642 ssh2
|
|||
|
Mar 29 02:10:38 CentOS7 sshd[5225]: pam_unix(sshd:session): session opened for user user2 by (uid=0)
|
|||
|
```
|
|||
|
|
|||
|
When you are try to login into the system with other users which are not part of this group then you will be getting an error message as shown below.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
Permission denied, please try again.
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 02:12:36 CentOS7 sshd[5306]: User ladmin from 192.168.1.6 not allowed because none of user's groups are listed in AllowGroups
|
|||
|
Mar 29 02:12:36 CentOS7 sshd[5306]: input_userauth_request: invalid user ladmin [preauth]
|
|||
|
Mar 29 02:12:56 CentOS7 unix_chkpwd[5310]: password check failed for user (ladmin)
|
|||
|
Mar 29 02:12:56 CentOS7 sshd[5306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=ladmin
|
|||
|
Mar 29 02:12:58 CentOS7 sshd[5306]: Failed password for invalid user ladmin from 192.168.1.6 port 42674 ssh2
|
|||
|
```
|
|||
|
|
|||
|
### How To Deny Group To Access SSH In Linux?
|
|||
|
|
|||
|
We can deny/disable the ssh access for a particular group or groups using the following method.
|
|||
|
|
|||
|
If you would like to disable more than one group then you need to add the group with space in the same line.
|
|||
|
|
|||
|
To do so, just append the following value into `/etc/ssh/sshd_config` file.
|
|||
|
|
|||
|
```
|
|||
|
# echo "DenyGroups 2g-admin" >> /etc/ssh/sshd_config
|
|||
|
```
|
|||
|
|
|||
|
You can double check this by running the following command.
|
|||
|
|
|||
|
```
|
|||
|
# # cat /etc/ssh/sshd_config | grep -i denygroups
|
|||
|
DenyGroups 2g-admin
|
|||
|
|
|||
|
# getent group 2g-admin
|
|||
|
2g-admin:x:1005:user1,user2,user3
|
|||
|
```
|
|||
|
|
|||
|
That’s it. Just bounce the ssh service and see the magic.
|
|||
|
|
|||
|
```
|
|||
|
# systemctl restart sshd
|
|||
|
|
|||
|
# service restart sshd
|
|||
|
```
|
|||
|
|
|||
|
Yes `user3` isn’t allowed to login into the system because it’s not part of `2g-admin` group. It’s in Denygroups.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
Permission denied, please try again.
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 02:17:32 CentOS7 sshd[5400]: User user1 from 192.168.1.6 not allowed because a group is listed in DenyGroups
|
|||
|
Mar 29 02:17:32 CentOS7 sshd[5400]: input_userauth_request: invalid user user1 [preauth]
|
|||
|
Mar 29 02:17:38 CentOS7 unix_chkpwd[5402]: password check failed for user (user1)
|
|||
|
Mar 29 02:17:38 CentOS7 sshd[5400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user1
|
|||
|
Mar 29 02:17:41 CentOS7 sshd[5400]: Failed password for invalid user user1 from 192.168.1.6 port 42710 ssh2
|
|||
|
```
|
|||
|
|
|||
|
Anyone can login into the system except `2g-admin` group. Hence, `ladmin` user is allowed to login into the system.
|
|||
|
|
|||
|
```
|
|||
|
# ssh [email protected]
|
|||
|
[email protected]'s password:
|
|||
|
[[email protected] ~]$
|
|||
|
```
|
|||
|
|
|||
|
Output:
|
|||
|
|
|||
|
```
|
|||
|
Mar 29 02:19:13 CentOS7 sshd[5432]: Accepted password for ladmin from 192.168.1.6 port 42716 ssh2
|
|||
|
Mar 29 02:19:13 CentOS7 sshd[5432]: pam_unix(sshd:session): session opened for user ladmin by (uid=0)
|
|||
|
```
|
|||
|
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
|
|||
|
via: https://www.2daygeek.com/allow-deny-enable-disable-ssh-access-user-group-in-linux/
|
|||
|
|
|||
|
作者:[2daygeek][a]
|
|||
|
选题:[lujun9972][b]
|
|||
|
译者:[译者ID](https://github.com/译者ID)
|
|||
|
校对:[校对者ID](https://github.com/校对者ID)
|
|||
|
|
|||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
|||
|
|
|||
|
[a]: http://www.2daygeek.com/author/2daygeek/
|
|||
|
[b]: https://github.com/lujun9972
|
|||
|
[1]: https://www.2daygeek.com/category/ssh-tutorials/
|