Sshd_config AllowGroups has no effect

groupsshsshdUbuntuusers

I'm trying to secure a new sever for a clients app. What I'm trying to achieve is to lock down ssh access to users within a certain group.

I have created my group 'remote' and a new user to that group called remoteuser; if I cat /etc/group I see

remote:x:823:remoteuser

in /etc/ssh/sshd_config I added the option

AllowGroups remote

from the sshd_config man page, this should restrict login to only users in 'remote' group.

After restarting sshd I try login with another user and I am prompted for the password. Can someone point out where I am going wrong?

I am using Ubuntu 16.10

Best Answer

You are prompted for a password, but even if you would provide correct password, you would not be granted access. This is how this option works.

It is another level of secrecy, that the server is not leaking the list of users that have valid account. If it would not do that, attacker could scan the server for valid users in minutes and attack only the existing users, which he can expect to have weak password or whatever else guess.

Related Solutions

Ssh – Expired password and SSH key based login with UsePAM yes

The order of operations that causes the expired password prompt is as follows:

SSH runs the PAM account stage, which verifies that the account exists and is valid. The account stage notices that the password has expired, and lets SSH know.
SSH performs key-based authentication. It doesn't need PAM for this, so it doesn't run the auth stage. It then sets up the SSH login session and runs the PAM session stage.
Next, SSH remembers that PAM told it the password had expired, prints a warning message, and asks PAM to have the user change the password. SSH then disconnects.

All of this is SSH's doing, and I don't see any SSH options to configure this behavior. So unless you want to build a custom version of SSH and/or PAM, the only option I see is to prevent PAM from reporting the expired password to SSH. If you do this, it will disable expired password checks over SSH entirely, even if the user is logging in over SSH with a password. Other (non-SSH) methods of login will still check password expiration.

Your current pam.d/sshd file has a account include common-account entry. I presume there's a common-account file which contains a reference to pam_unix.so. This is the line that checks for an expired password.

You probably don't want to touch the common-account file itself, since it's used for other login methods. Instead, you want to remove the include from your pam.d/sshd file. If there are other functions in common-account besides pam_unix.so, you probably want to put them directly into pam.d/sshd.

Finally, remember that this is a modification to the security of your system and you shouldn't just blindly trust me to give you good advice. Read up on how PAM works if you're unfamiliar with it. Some starting places might be man 7 PAM, man 5 pam.conf, and man 8 pam_unix.

Ssh – Can’t connect to another user than root through SSH

.ssh and everything under it should be owned by the user (in this case 'storm') and only the user should have permission. chown -R storm ~storm/.ssh; chmod 700 ~storm/.ssh;chmod 600 ~storm/.ssh/authorized_keys should do the trick.

If you have control over who's able to log into the console, you can get away without the Match block and the AllowUsers directive by simply disabling passwords and allowing root login only with a key:

PasswordAuthentication no
PermitRootLogin without-password

Be sure to test this while you have access to the console . . . just in case.

Best Answer

Related Solutions

Ssh – Expired password and SSH key based login with UsePAM yes

Ssh – Can’t connect to another user than root through SSH

Related Question