search for: allowgroups

Hey everyone, After discussing the AllowGroups I think I've discovered a bug. The system is a solaris 8 system and the problem is that when I use AllowGroups with no AllowUsers args, the proper actions happen. Same with AllowUsers and no AllowGroups. When I try to combine the two, none of the Allow directives seem to take. Is it just m...

...irst obtained value will be used.", so that gives me the impression that any lines after the first should be ignored. However, my testing seems to contradict this - if I have two lines granting access to different groups, both groups get access. So it seems like these are equivalent: > AllowGroups foo bar > AllowGroups foo > AllowGroups bar Is this behaviour to be expected? It could of course also be Debian introducing special behaviour, but I thought I should check here first. /T

Hi, After extensively looking into puppet + augeas for managing the AllowGroups in sshd_config, I came to the conclusion that it won''t work as I expected :( So I''m sharing my thoughts here. The main objective is allowing multiple groups per-node, depending on what the security team wants. Since I want this to be dynamic, I created a define in a class: class...

https://bugzilla.mindrot.org/show_bug.cgi?id=2391 Bug ID: 2391 Summary: Enhance AllowGroups documentation in man page Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.or...

While testing some AllowUsers and AllowGroups combinations I was surprised to find that one cannot be used to override the other. For example: AllowGroups administrators AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to create another group j...

Hai, I have AllowGroups sshlinux, sshwindows Add at least 1 user in the linux group and at least 1 in the sshwindows group. Make sure the sshwindows group have a GID. And make sure the windows user loggin in in ssh als have a UID. AND for both, UID 1000+ ( which is in debian the default PAM setting ) . This is ba...

...code.. <sigh> For everone else.. Will this make everyone happy? This does the follow. it will always honor AllowUsers. If there is no Allow/DenyGroups it stated they are not in allowUsers. IF there are AllowDenyGroups it tries them. And then stated they are not in either AllowUsers nor AllowGroups since PErmitRootLogin is not handled in auth.c:allowed_users() I will not try to add that logic. I still believe it should be true. Diff against -ccurent BSD tree. - Ben Index: auth.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth.c,v re...

Subject: logcheck-database: Tweak to ssh rules to ignore AllowGroups denial Package: logcheck-database Version: 1.3.13 Severity: minor *** Please type your report below this line *** Similar to how AllowUsers denials are ignored, also ignore AllowGroups: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not...

Hi, Can anyone else confirm that AllowGroup is no longer an accepted configuration option for openssh-server-4.3p2-29.el5. And is this intended or should I be submitting a Bug Report ? Thanks

Hi, with sssd i can do: $ ssh user at domain.tld@HOST1 $ id user at domain.tld $ ls -al /home/domain.tld/user drwx------ 5 user at domain.tld domain users at domain.tld 103 12. Jun 14:14 . $ grep AllowGroups /etc/ssh/sshd_config AllowGroups lokale_gruppe samba_gruppe at domain.tld When switching to winbind only $ id user at domain.tld is working any other command is using user\domain $ ls -al /home/domain.tld/brielmj drwxr-x--- 4 DOMAIN\user DOMAIN\domain users 4096 Jun 15 17:10 . $ grep AllowGro...

What I was trying to do: I wanted to use the AllowGroups facility to allow users in by group instead of listing individual usernames but also allow root only from a single central host. Setup actions: targetusername on target host has a secondary group entry of "staff". Updated sshd_config to add the lines: AllowUsers root at nimsrvr A...

Hi everyone, I have a SerNet-Samba 4.3.6-10 AD which works fine. Now I try to implement a fileserver. It is a server with a lot of (old)-users, which have an Unix-Account. On this server are also users who should can login from the Internet over ssh. But now I'm running in trouble with the security of my fileserver. When I would install samba 4.3.6 on it and activate sernet-samba-client

http://bugzilla.mindrot.org/show_bug.cgi?id=999 Summary: AllowGroups ,DenyGroups failed to report hostname Product: Portable OpenSSH Version: 4.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org...

I do not know have you have already fixed problem when both AllowUsers and AllowGroups have been defined. Source package was: openssh-2.1.1-p1 (rpm version) Problem is described in this example: AllowGroups admins ssh AllowUsers testuser testusers primary group is users User cannot login because his primary group wasn't admins or ssh... I have included patch for this in this...

https://bugzilla.mindrot.org/show_bug.cgi?id=2292 Bug ID: 2292 Summary: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation...

On 16/06/2023 19:49, Stefan Kania via samba wrote: > Hi, > > with sssd i can do: > $ ssh user at domain.tld@HOST1 > $ id user at domain.tld > $ ls -al /home/domain.tld/user > drwx------ 5 user at domain.tld domain users at domain.tld? 103 12. Jun 14:14 . > $ grep AllowGroups /etc/ssh/sshd_config > AllowGroups lokale_gruppe samba_gruppe at domain.tld > > When switching to winbind only > $ id user at domain.tld > > is working any other command is using user\domain > > $ ls -al /home/domain.tld/brielmj > drwxr-x--- 4 DOMAIN\user DOMAIN\domain...

Hi, I'm trying to control access to different services on an Debian server using /etc/group. So that a user I create for FTP usage doesn't fill up my server with IMAP folders or samba garbage. Services like proftpd have: "AllowGroup ftpgroup" sshd have "AllowGroups sshgroup" And samba have "valid users = @smbgroup" But I can't find the correct option in Dovecot (/etc/dovecot/dovecot.conf) Do anyone have the magic option or a workaround thats doesn't envolve maintaining seperate user databases and password? (I know its needed for sa...

Hey, After discussing the limit of MAX_ALLOW_USERS I've been trying to use AllowGroups instead. In the config file I have the AllowUsers lines before the AllowGroups lines (I have tried both ways) and it appears that the presence on the AllowGroups directives seems to blow away any Allow* directives I have set. I'm not sure how to check further for bugs so I figured I'd c...

Hello, I was hoping that someone could shed some light on this issue we are having. I'm trying to use AD groups to allow SSH access into the Linux boxes but It doesn't seem to work. We have: AllowGroups unix_admins AllowUsers joe at server1.domain.com And doesn't work. If I remove the first one it works great joe can login into the box from server1. the end objective that I want is to restrict access to groups. let's say I want the group unix_admins to be able to log in into the box...

...2311628508429&w=2 Like him, I'm using 5.3p1 as packaged in CentOS 6.3. Secondly the Allow/Deny logic is downright tortured. I looked back and again didn't come across any good discussion as to why it was written that way. It should not be necessary for AllowUsers to be the superset of AllowGroups. As Spock would say "it is illogical." If you had to write PF rules like that you'd go crazy. That's why most people use first-match logic. Per the manpage, if the logic is DenyUsers > AllowUsers > DenyGroups > AllowGroups, then there has to be a immediate stop to the lo...