Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: AllowUser, DenyUser don't work.

from [Kamchybek Jusupov] Network Security [Permanent Link]
Subject: Re: AllowUser, DenyUser don't work.
Date: Wed, 31 Jan 2007 13:23:36 +0800 
Hi MCG,

As per the section below, if you have "DenyUsers root", it will be
effective, even if you add "AllowUsers root@host"...

As for your situation, maybe this will be useful (from
PermitRootLogin section, man sshd_config):

---
If this option is set to ``forced-commands-only'', root login with
public key authentication will
             be allowed, but only if the command option has been
specified (which may be useful for taking
             remote backups even if root login is normally not
allowed).  All other authentication methods are
             disabled for root.
---

So, you'll need "public key authentication" and "PermitRootLogin no".




 ---
The allow/deny directives are processed in the following
             order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.
---



On Wed, 31 Jan 2007 13:08:23 +0800 / MCG ZHUANG Liang wrote:
With a subject: RE: AllowUser, DenyUser don't work.


Hello Kamchybek,
Thanks a lot for your advice, but from the manual, did you notice this
line:
==The allow/deny directives are processedi n the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.==

According to this, my understanding is that I can deny root from
anywhere and then only permit root from 192.17.0.0 by the following 2
lines in the conf file:

DenyUsers root
AllowUsers root@192.17.*

But it failed.

As for the reason that I AllowUsers root@192.17.*, we have several
blades cooperate in such small local internal network, and we need:
ssh root@blade1 exec some cmd

so any other ideas to settle this contradiction?

Regards,
Zhuang Liang.


-----Original Message-----
From: Kamchybek Jusupov [mailto:kj.synack@gmail.com]
Sent: Wednesday, January 31, 2007 12:35
To: MCG ZHUANG Liang
Cc: secureshell@securityfocus.com
Subject: Re: AllowUser, DenyUser don't work.

Hi MCG,

Don't know the reason why you want to enable remote root logins, but:

man sshd_config says:
---
AllowUsers
            This keyword can be followed by a list of user name
patterns, separated by spa- ces.  If specified, login is allowed only
for user names that match one of the patterns.  Only user names are
valid; a numerical user ID is not recognized.  By default, login is
allowed for all users.  If the pattern takes the form USER@HOST then
USER and HOST are separately checked, restricting logins to
particular users from particular hosts.  The allow/deny directives
are processed in the following order: DenyUsers, AllowUsers,
DenyGroups, and finally AllowGroups.
---

So, if you have "DenyUsers root" that's it - no root logins...


Better would be setup:
PermitRootLogin no
AllowUsers normaluserid

Get some help from "su -" and/or "sudo "


PS: Use ssh -vvv to get more debug messages...



On Tue, 30 Jan 2007 16:29:13 +0800 / MCG ZHUANG Liang wrote:
With a subject: AllowUser, DenyUser don't work.


 Hello,
I try to restrict some kind of login through AllowUser and DenyUser
but failed.
openssh version: 4.5
What I want: disable root login from network outside 192.17.0.0
 What I wrote into /etc/ssh/sshd_config
***************************
DenyUsers root
AllowUsers root@192.17.*
***************************
However, after that not only root can not login from anywhere, but

all

the other accounts are also disabled

Anything I did wrong?

Regards,
Zhuang Liang.





.




--
Rgds,
Kamchybek Jusupov

Attitude is no substitude for competence...
GPG Key: C565 2827 0858 ECFE 74D7  A556 7B09 59DA B6C8 FF8C



-- 
Rgds,
Kamchybek Jusupov

Attitude is no substitude for competence...
GPG Key: C565 2827 0858 ECFE 74D7  A556 7B09 59DA B6C8 FF8C
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: AllowUser, DenyUser don't work., Kamchybek Jusupov
Next by Date:  Re: AllowUser, DenyUser don't work., Philipp Snizek
Previous by Thread:  Re: AllowUser, DenyUser don't work., Philipp Snizek
Next by Thread:  Carriage return character added automatically, Ziv
Indexes:  [Date] [Thread] [Top] [All Lists]