Hi MCG,
As per the section below, if you have "DenyUsers root", it will be
effective, even if you add "AllowUsers [EMAIL PROTECTED]"...
As for your situation, maybe this will be useful (from
PermitRootLogin section, man sshd_config):
---
If this option is set to ``forced-commands-only'', root login with
public key authentication will
be allowed, but only if the command option has been
specified (which may be useful for taking
remote backups even if root login is normally not
allowed). All other authentication methods are
disabled for root.
---
So, you'll need "public key authentication" and "PermitRootLogin no".
---
The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.
---
On Wed, 31 Jan 2007 13:08:23 +0800 / MCG ZHUANG Liang wrote:
With a subject: RE: AllowUser, DenyUser don't work.
> Hello Kamchybek,
> Thanks a lot for your advice, but from the manual, did you notice this
> line:
> ==The allow/deny directives are processedi n the following order:
> DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.==
>
> According to this, my understanding is that I can deny root from
> anywhere and then only permit root from 192.17.0.0 by the following 2
> lines in the conf file:
> >> DenyUsers root
> >> AllowUsers [EMAIL PROTECTED]
> But it failed.
>
> As for the reason that I AllowUsers [EMAIL PROTECTED], we have several
> blades cooperate in such small local internal network, and we need:
> ssh [EMAIL PROTECTED] exec some cmd
>
> so any other ideas to settle this contradiction?
>
> Regards,
> Zhuang Liang.
>
> >-----Original Message-----
> >From: Kamchybek Jusupov [mailto:[EMAIL PROTECTED]
> >Sent: Wednesday, January 31, 2007 12:35
> >To: MCG ZHUANG Liang
> >Cc: [email protected]
> >Subject: Re: AllowUser, DenyUser don't work.
> >
> >Hi MCG,
> >
> >Don't know the reason why you want to enable remote root logins, but:
> >
> >man sshd_config says:
> >---
> >AllowUsers
> > This keyword can be followed by a list of user name
> >patterns, separated by spa- ces. If specified, login is allowed only
> >for user names that match one of the patterns. Only user names are
> >valid; a numerical user ID is not recognized. By default, login is
> >allowed for all users. If the pattern takes the form [EMAIL PROTECTED] then
> >USER and HOST are separately checked, restricting logins to
> >particular users from particular hosts. The allow/deny directives
> >are processed in the following order: DenyUsers, AllowUsers,
> >DenyGroups, and finally AllowGroups.
> >---
> >
> >So, if you have "DenyUsers root" that's it - no root logins...
> >
> >
> >Better would be setup:
> >PermitRootLogin no
> >AllowUsers normaluserid
> >
> >Get some help from "su -" and/or "sudo "
> >
> >
> >PS: Use ssh -vvv to get more debug messages...
> >
> >
> >
> >On Tue, 30 Jan 2007 16:29:13 +0800 / MCG ZHUANG Liang wrote:
> >With a subject: AllowUser, DenyUser don't work.
> >
> >> Hello,
> >> I try to restrict some kind of login through AllowUser and DenyUser
> >> but failed.
> >> openssh version: 4.5
> >> What I want: disable root login from network outside 192.17.0.0
> >> What I wrote into /etc/ssh/sshd_config
> >> ***************************
> >> DenyUsers root
> >> AllowUsers [EMAIL PROTECTED]
> >> ***************************
> >> However, after that not only root can not login from anywhere, but
> all
> >> the other accounts are also disabled
> >>
> >> Anything I did wrong?
> >>
> >> Regards,
> >> Zhuang Liang.
> >>
> >>
> >>
> >>
> >>
> >> .
> >>
> >
> >
> >--
> >Rgds,
> >Kamchybek Jusupov
> >
> >Attitude is no substitude for competence...
> >GPG Key: C565 2827 0858 ECFE 74D7 A556 7B09 59DA B6C8 FF8C
--
Rgds,
Kamchybek Jusupov
Attitude is no substitude for competence...
GPG Key: C565 2827 0858 ECFE 74D7 A556 7B09 59DA B6C8 FF8C
