I'm trying to secure a new sever for a clients app. What I'm trying to achieve is to lock down ssh access to users within a certain group.
I have created my group 'remote' and a new user to that group called remoteuser; if I cat /etc/group I see
remote:x:823:remoteuser
in /etc/ssh/sshd_config
I added the option
AllowGroups remote
from the sshd_config
man page, this should restrict login to only users in 'remote' group.
After restarting sshd I try login with another user and I am prompted for the password. Can someone point out where I am going wrong?
I am using Ubuntu 16.10
Best Answer
You are prompted for a password, but even if you would provide correct password, you would not be granted access. This is how this option works.
It is another level of secrecy, that the server is not leaking the list of users that have valid account. If it would not do that, attacker could scan the server for valid users in minutes and attack only the existing users, which he can expect to have weak password or whatever else guess.