我对ubuntu上的sshd有问题。我试图通过使用AllowGroups限制可以远程登录的帐户,在ssh服务器上提供更健壮的安全性。不幸的是,似乎不在允许组中的用户仍然可以登录并发出命令。
我正在使用:
openssh_6.6.1p1 ubuntu-2ubuntu2.3,openssl 1.0.1f 2014年1月6日
我已将以下行添加到/etc/ssh/sshd_config
AllowGroups ssh
DenyGroups *
我创建了两个用户帐户
$ id test1
uid=1002(test1) gid=1003(test1) groups=1003(test1),113(ssh)
$ id test2
uid=1003(test2) gid=1004(test2) groups=1004(test2)
用户test2仍然可以从远程终端ssh。
当我测试
sshd服务器配置时,它似乎包括组AllowGroups的ssh设置。$ sudo /usr/sbin/sshd -T
port 22
protocol 2
addressfamily any
listenaddress 0.0.0.0:22
listenaddress [::]:22
usepam 1
serverkeybits 1024
logingracetime 120
keyregenerationinterval 3600
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
permitrootlogin without-password
ignorerhosts yes
ignoreuserknownhosts no
rhostsrsaauthentication no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
rsaauthentication yes
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapikeyexchange no
gssapicleanupcredentials yes
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd no
printlastlog yes
x11forwarding yes
x11uselocalhost yes
permittty yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
permituserenvironment no
uselogin no
compression delayed
gatewayports no
usedns yes
allowtcpforwarding yes
useprivilegeseparation yes
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
macs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
versionaddendum
kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,[email protected]
loglevel INFO
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_dsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowgroups ssh
denygroups
acceptenv LANG
acceptenv LC_*
authenticationmethods
subsystem sftp /usr/lib/openssh/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos lowdelay throughput
rekeylimit 0 0
permitopen any
我对
AllowGroups功能的理解是否有误?我的设置有冲突吗?有没有人举过一个我研究过的与工作相关的例子?谢谢。 最佳答案
您可以使用pam module pam_listfile完成相同的操作。
auth required pam_listfile.so \
onerr=fail item=group sense=allow file=/etc/logingroups
这意味着只允许/etc/logingroups中列出的组在服务器中进行身份验证。
查看其手册页:http://linux.die.net/man/8/pam_listfile
关于linux - SSHD AllowGroups,按组控制访问,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/32873255/