similar to: Limit SSH access for users from defined source address

Hey everyone, After discussing the AllowGroups I think I've discovered a bug. The system is a solaris 8 system and the problem is that when I use AllowGroups with no AllowUsers args, the proper actions happen. Same with AllowUsers and no AllowGroups. When I try to combine the two, none of the Allow directives seem to take. Is it just me or maybe a bug? -James

Hello, What is the best way to protect multiuser systems from brute force attacks? I am setting up a relatively loose DenyHosts policy, but I like the idea of locking an account for a time if too many attempts are made, but to balance this with keeping the user from making a helpdesk call. What are some policies/techniques that have worked for this list with minimal hassle? Thanks! -Eugene

Markus, ignore the other stuff I sent.. I need to go back to bed and stop trying to code.. <sigh> For everone else.. Will this make everyone happy? This does the follow. it will always honor AllowUsers. If there is no Allow/DenyGroups it stated they are not in allowUsers. IF there are AllowDenyGroups it tries them. And then stated they are not in either AllowUsers nor AllowGroups

https://bugzilla.mindrot.org/show_bug.cgi?id=1690 Summary: AllowUsers and DenyGroups directives are not parsed in the order specified Product: Portable OpenSSH Version: 5.3p1 Platform: ix86 OS/Version: Linux Status: NEW Keywords: patch Severity: trivial Priority: P2 Component:

Thank for your answer: But i dont know understand why is following not working: I want to restrict the ssh access for a special domain member: In my "sshd_config" i added: AllowGroups restrictaccess root With user2 im able to login via ssh! log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE With user1 im not! log: User user1 from 192.168.0.100 not allowed

Hi everyone, I have a SerNet-Samba 4.3.6-10 AD which works fine. Now I try to implement a fileserver. It is a server with a lot of (old)-users, which have an Unix-Account. On this server are also users who should can login from the Internet over ssh. But now I'm running in trouble with the security of my fileserver. When I would install samba 4.3.6 on it and activate sernet-samba-client

While testing some AllowUsers and AllowGroups combinations I was surprised to find that one cannot be used to override the other. For example: AllowGroups administrators AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to create another group just for ssh, something like ssh-admins. This other

I've used ssh as a secure telnet up to now but done little else with it. The FreeBSD machines I look after on our internet-facing network all have one account which I connect to for administration. I've set up /etc/hosts.allow on all the machines to only allow ssh from a limited internal network range. Now I want to create a new account on one machine which will be accessible from the

I smacked into this previously reported bug today whereby an invalid keyword in the Match{} stanza did not throw an error on configuration reload. Are there any plans to fix this? Likewise the penchant for some fields to be comma separated and others to be spaces is just asking for mistakes. Why not support both and be done with it? There was no response (that I saw in the archives) to this post

It seems the syntax for AllowUsers in sshd_config is not the same that is given in man sshd_config and in several documentation on the web. (http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config) e.g. AllowUsers root does work. AllowUsers root username does not work. If I try to login as root I get "User root from <hostname> not allowed because not listed in AllowUsers".

Hi When I enable a box to do authentication using LDAP it breaks cron for users like jboss. I get the following in /var/log/secure Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account): access denied for user `jboss' from `cron' I have the following in /etc/ldap.conf nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,jboss

I have a number of development machines behind my OpenBSD firewall which all provide a very permissive development account (and easy sudo). I don't want this account exposed on the internet side of the firewall, so I created a doorstep account with no perms and really long passwords to get anywhere useful. I looked through the SSH book and it gave me the impression that I could set up these

Hi, I get ssh connect attempts all the time, to my servers at home and at work. I've noticed lately they come from a certain ip address, hitting every 3 or 4 seconds, trying 50 or 100 different user names and passwords. And I get these sweeps from 2 or 3 ip addresses a day. I guess this is an automated attempt to guess a user/pass and break into a system. I tried to secure ssh better by

On 04/26/2017 04:22 AM, Gordon Messmer wrote: > On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >> This made the same content as before that caused problems: > > I still don't understand, exactly. Are you seeing *new* problems > after installing a policy? What are the problems? > >> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.

Hai, I have AllowGroups sshlinux, sshwindows Add at least 1 user in the linux group and at least 1 in the sshwindows group. Make sure the sshwindows group have a GID. And make sure the windows user loggin in in ssh als have a UID. AND for both, UID 1000+ ( which is in debian the default PAM setting ) . This is base on a "MEMBER" server. If you do : getent windowsuser You

Hello, I've trawled archives looking for changes in the "AllowUsers" option, manuals, changes log, reported bugs and to my surprise I can't find anything or anyone that has reported the issues that I am experiencing. I am using the default installation sshd_config file as supplied by Redhat and the only options I have changed are: ListenAddress AllowUsers The first problem

Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible

Hey gang, I seem to be having a brain disconnect on how to get the Augeas type to manage things that have multiple values (i.e. an Augeas tree) via Puppet. If I run this in augtool: augtool> set /files/etc/ssh/sshd_config/AllowGroups/1000 sshuser augtool> save I see this in /etc/ssh/sshd_config: AllowGroups sshuser However, if I try this in an Augeas type: augeas {

Hello all, I just noticed that AllowHosts feature of SSH Inc's sshd isn't there in OpenSSH yet. Has anyone been working on this? Am I the only one that seems to miss this feature? AllowUsers and AllowGroups is a very nice feature though :) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and

Hi, We're using Samba 2.2.2 as a PDC for W2k and XP clients. We have two types of users - "regular" users and "management". The problem I have is to allow only the "management" users to login from certain stations, and deny the login rights to regular users. That is, I need the ability do set per-station login permissions. Is there a way to do this using samba