Match multiple users in 'sshd_config'
Clash Royale CLAN TAG#URR8PPP
I'm trying to apply the same sshd settings to multiple users.
According to the manual, it seems Match User acts like an AND:
Introduces a conditional block. If all of the criteria on the
Matchline are satisfied, the keywords on the following lines override those set in the global section of the config file
How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:
Match User bob, User joe, User phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
ssh users configuration sshd
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
add a comment |
I'm trying to apply the same sshd settings to multiple users.
According to the manual, it seems Match User acts like an AND:
Introduces a conditional block. If all of the criteria on the
Matchline are satisfied, the keywords on the following lines override those set in the global section of the config file
How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:
Match User bob, User joe, User phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
ssh users configuration sshd
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
add a comment |
I'm trying to apply the same sshd settings to multiple users.
According to the manual, it seems Match User acts like an AND:
Introduces a conditional block. If all of the criteria on the
Matchline are satisfied, the keywords on the following lines override those set in the global section of the config file
How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:
Match User bob, User joe, User phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
ssh users configuration sshd
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
I'm trying to apply the same sshd settings to multiple users.
According to the manual, it seems Match User acts like an AND:
Introduces a conditional block. If all of the criteria on the
Matchline are satisfied, the keywords on the following lines override those set in the global section of the config file
How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:
Match User bob, User joe, User phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
ssh users configuration sshd
ssh users configuration sshd
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
asked Feb 12 '17 at 18:20
IQAndreasIQAndreas
4,107134164
4,107134164
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
Not having done this myself, I can only go on what the manuals say:
From the sshd_config manual:
The match patterns may consist of single entries or
comma-separated lists and may use the wildcard and negation
operators described in the PATTERNS section ofssh_config(5).
This means that you ought to be able to say
Match User bob,joe,phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038
edited Mar 17 '17 at 13:14
Community♦
1
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
add a comment |
Use the Match directive on a group instead of a user.
Then add the users to that group
Match Group users_with_no_ssh
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
add a comment |
Basically your syntax is wrong, you have:
Match User bob, User joe, User phil
But it should be
Match User bob,joe,phil
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
add a comment |
I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):
sshd_config
# support, ansible & backup only from specific IP
Match User ansible,backup,support Address *,!176.x.x.x
DenyUsers ansible,backup,support
Match User backup
AllowTcpForwarding yes
AllowAgentForwarding yes
PermitListen 127.0.0.1:2223
AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD
Testing configuration
# sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers root
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
# sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers ansible,backup,support
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
Real world test
Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0"
Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]
answered Jan 29 at 21:53
Jiri BJiri B
135
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f344444%2fmatch-multiple-users-in-sshd-config%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Not having done this myself, I can only go on what the manuals say:
From the sshd_config manual:
The match patterns may consist of single entries or
comma-separated lists and may use the wildcard and negation
operators described in the PATTERNS section ofssh_config(5).
This means that you ought to be able to say
Match User bob,joe,phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038
edited Mar 17 '17 at 13:14
Community♦
1
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
add a comment |
Not having done this myself, I can only go on what the manuals say:
From the sshd_config manual:
The match patterns may consist of single entries or
comma-separated lists and may use the wildcard and negation
operators described in the PATTERNS section ofssh_config(5).
This means that you ought to be able to say
Match User bob,joe,phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038
edited Mar 17 '17 at 13:14
Community♦
1
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
add a comment |
Not having done this myself, I can only go on what the manuals say:
From the sshd_config manual:
The match patterns may consist of single entries or
comma-separated lists and may use the wildcard and negation
operators described in the PATTERNS section ofssh_config(5).
This means that you ought to be able to say
Match User bob,joe,phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038
edited Mar 17 '17 at 13:14
Community♦
1
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
Not having done this myself, I can only go on what the manuals say:
From the sshd_config manual:
The match patterns may consist of single entries or
comma-separated lists and may use the wildcard and negation
operators described in the PATTERNS section ofssh_config(5).
This means that you ought to be able to say
Match User bob,joe,phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038
edited Mar 17 '17 at 13:14
Community♦
1
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
edited Mar 17 '17 at 13:14
Community♦
1
edited Mar 17 '17 at 13:14
Community♦
1
edited Mar 17 '17 at 13:14
Community♦
1
1
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
answered Feb 12 '17 at 18:43
KusalanandaKusalananda
131k17249408
131k17249408
add a comment |
add a comment |
Use the Match directive on a group instead of a user.
Then add the users to that group
Match Group users_with_no_ssh
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
add a comment |
Use the Match directive on a group instead of a user.
Then add the users to that group
Match Group users_with_no_ssh
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
add a comment |
Use the Match directive on a group instead of a user.
Then add the users to that group
Match Group users_with_no_ssh
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
Use the Match directive on a group instead of a user.
Then add the users to that group
Match Group users_with_no_ssh
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
answered Feb 12 '17 at 18:31
tomodachitomodachi
1413
1413
add a comment |
add a comment |
Basically your syntax is wrong, you have:
Match User bob, User joe, User phil
But it should be
Match User bob,joe,phil
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
add a comment |
Basically your syntax is wrong, you have:
Match User bob, User joe, User phil
But it should be
Match User bob,joe,phil
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
add a comment |
Basically your syntax is wrong, you have:
Match User bob, User joe, User phil
But it should be
Match User bob,joe,phil
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
Basically your syntax is wrong, you have:
Match User bob, User joe, User phil
But it should be
Match User bob,joe,phil
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
answered Oct 9 '17 at 12:44
m4rinosm4rinos
101
101
add a comment |
add a comment |
I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):
sshd_config
# support, ansible & backup only from specific IP
Match User ansible,backup,support Address *,!176.x.x.x
DenyUsers ansible,backup,support
Match User backup
AllowTcpForwarding yes
AllowAgentForwarding yes
PermitListen 127.0.0.1:2223
AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD
Testing configuration
# sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers root
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
# sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers ansible,backup,support
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
Real world test
Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0"
Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]
answered Jan 29 at 21:53
Jiri BJiri B
135
add a comment |
I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):
sshd_config
# support, ansible & backup only from specific IP
Match User ansible,backup,support Address *,!176.x.x.x
DenyUsers ansible,backup,support
Match User backup
AllowTcpForwarding yes
AllowAgentForwarding yes
PermitListen 127.0.0.1:2223
AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD
Testing configuration
# sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers root
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
# sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers ansible,backup,support
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
Real world test
Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0"
Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]
answered Jan 29 at 21:53
Jiri BJiri B
135
add a comment |
I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):
sshd_config
# support, ansible & backup only from specific IP
Match User ansible,backup,support Address *,!176.x.x.x
DenyUsers ansible,backup,support
Match User backup
AllowTcpForwarding yes
AllowAgentForwarding yes
PermitListen 127.0.0.1:2223
AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD
Testing configuration
# sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers root
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
# sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers ansible,backup,support
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
Real world test
Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0"
Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]
answered Jan 29 at 21:53
Jiri BJiri B
135
I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):
sshd_config
# support, ansible & backup only from specific IP
Match User ansible,backup,support Address *,!176.x.x.x
DenyUsers ansible,backup,support
Match User backup
AllowTcpForwarding yes
AllowAgentForwarding yes
PermitListen 127.0.0.1:2223
AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD
Testing configuration
# sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers root
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
# sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
denyusers ansible,backup,support
acceptenv RESTIC_REPOSITORY
acceptenv RESTIC_PASSWORD
permitlisten 127.0.0.1:2223
Real world test
Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0"
Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]
answered Jan 29 at 21:53
Jiri BJiri B
135
answered Jan 29 at 21:53
Jiri BJiri B
135
answered Jan 29 at 21:53
Jiri BJiri B
135
answered Jan 29 at 21:53
Jiri BJiri B
135
135
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f344444%2fmatch-multiple-users-in-sshd-config%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
