Match multiple users in 'sshd_config'

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












4















I'm trying to apply the same sshd settings to multiple users.



According to the manual, it seems Match User acts like an AND:




Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file




How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:



Match User bob, User joe, User phil
PasswordAuthentication yes
AllowTCPForwarding yes
ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'









share|improve this question


























    4















    I'm trying to apply the same sshd settings to multiple users.



    According to the manual, it seems Match User acts like an AND:




    Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file




    How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:



    Match User bob, User joe, User phil
    PasswordAuthentication yes
    AllowTCPForwarding yes
    ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'









    share|improve this question
























      4












      4








      4








      I'm trying to apply the same sshd settings to multiple users.



      According to the manual, it seems Match User acts like an AND:




      Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file




      How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:



      Match User bob, User joe, User phil
      PasswordAuthentication yes
      AllowTCPForwarding yes
      ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'









      share|improve this question














      I'm trying to apply the same sshd settings to multiple users.



      According to the manual, it seems Match User acts like an AND:




      Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file




      How do I state "for any of these users...", so in this example bob, joe, and phil are allowed to use SSH as a proxy, but not allowed to log in:



      Match User bob, User joe, User phil
      PasswordAuthentication yes
      AllowTCPForwarding yes
      ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'






      ssh users configuration sshd






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 12 '17 at 18:20









      IQAndreasIQAndreas

      4,107134164




      4,107134164




















          4 Answers
          4






          active

          oldest

          votes


















          10














          Not having done this myself, I can only go on what the manuals say:



          From the sshd_config manual:




          The match patterns may consist of single entries or
          comma-separated lists and may use the wildcard and negation
          operators described in the PATTERNS section of ssh_config(5).




          This means that you ought to be able to say



          Match User bob,joe,phil
          PasswordAuthentication yes
          AllowTCPForwarding yes
          ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'


          See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038






          share|improve this answer
































            3














            Use the Match directive on a group instead of a user.
            Then add the users to that group



            Match Group users_with_no_ssh
            PasswordAuthentication yes
            AllowTCPForwarding yes
            ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'





            share|improve this answer






























              0














              Basically your syntax is wrong, you have:



              Match User bob, User joe, User phil


              But it should be



              Match User bob,joe,phil





              share|improve this answer






























                0














                I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):



                sshd_config



                # support, ansible & backup only from specific IP 
                Match User ansible,backup,support Address *,!176.x.x.x
                DenyUsers ansible,backup,support

                Match User backup
                AllowTcpForwarding yes
                AllowAgentForwarding yes
                PermitListen 127.0.0.1:2223
                AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD


                Testing configuration



                # sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                denyusers root
                acceptenv RESTIC_REPOSITORY
                acceptenv RESTIC_PASSWORD
                permitlisten 127.0.0.1:2223

                # sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                denyusers ansible,backup,support
                acceptenv RESTIC_REPOSITORY
                acceptenv RESTIC_PASSWORD
                permitlisten 127.0.0.1:2223


                Real world test



                Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0" 
                Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
                Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]





                share|improve this answer






















                  Your Answer








                  StackExchange.ready(function()
                  var channelOptions =
                  tags: "".split(" "),
                  id: "106"
                  ;
                  initTagRenderer("".split(" "), "".split(" "), channelOptions);

                  StackExchange.using("externalEditor", function()
                  // Have to fire editor after snippets, if snippets enabled
                  if (StackExchange.settings.snippets.snippetsEnabled)
                  StackExchange.using("snippets", function()
                  createEditor();
                  );

                  else
                  createEditor();

                  );

                  function createEditor()
                  StackExchange.prepareEditor(
                  heartbeatType: 'answer',
                  autoActivateHeartbeat: false,
                  convertImagesToLinks: false,
                  noModals: true,
                  showLowRepImageUploadWarning: true,
                  reputationToPostImages: null,
                  bindNavPrevention: true,
                  postfix: "",
                  imageUploader:
                  brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                  contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                  allowUrls: true
                  ,
                  onDemand: true,
                  discardSelector: ".discard-answer"
                  ,immediatelyShowMarkdownHelp:true
                  );



                  );













                  draft saved

                  draft discarded


















                  StackExchange.ready(
                  function ()
                  StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f344444%2fmatch-multiple-users-in-sshd-config%23new-answer', 'question_page');

                  );

                  Post as a guest















                  Required, but never shown

























                  4 Answers
                  4






                  active

                  oldest

                  votes








                  4 Answers
                  4






                  active

                  oldest

                  votes









                  active

                  oldest

                  votes






                  active

                  oldest

                  votes









                  10














                  Not having done this myself, I can only go on what the manuals say:



                  From the sshd_config manual:




                  The match patterns may consist of single entries or
                  comma-separated lists and may use the wildcard and negation
                  operators described in the PATTERNS section of ssh_config(5).




                  This means that you ought to be able to say



                  Match User bob,joe,phil
                  PasswordAuthentication yes
                  AllowTCPForwarding yes
                  ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'


                  See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038






                  share|improve this answer





























                    10














                    Not having done this myself, I can only go on what the manuals say:



                    From the sshd_config manual:




                    The match patterns may consist of single entries or
                    comma-separated lists and may use the wildcard and negation
                    operators described in the PATTERNS section of ssh_config(5).




                    This means that you ought to be able to say



                    Match User bob,joe,phil
                    PasswordAuthentication yes
                    AllowTCPForwarding yes
                    ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'


                    See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038






                    share|improve this answer



























                      10












                      10








                      10







                      Not having done this myself, I can only go on what the manuals say:



                      From the sshd_config manual:




                      The match patterns may consist of single entries or
                      comma-separated lists and may use the wildcard and negation
                      operators described in the PATTERNS section of ssh_config(5).




                      This means that you ought to be able to say



                      Match User bob,joe,phil
                      PasswordAuthentication yes
                      AllowTCPForwarding yes
                      ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'


                      See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038






                      share|improve this answer















                      Not having done this myself, I can only go on what the manuals say:



                      From the sshd_config manual:




                      The match patterns may consist of single entries or
                      comma-separated lists and may use the wildcard and negation
                      operators described in the PATTERNS section of ssh_config(5).




                      This means that you ought to be able to say



                      Match User bob,joe,phil
                      PasswordAuthentication yes
                      AllowTCPForwarding yes
                      ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'


                      See also this answer on the Information Security forum: https://security.stackexchange.com/a/18038







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Mar 17 '17 at 13:14









                      Community

                      1




                      1










                      answered Feb 12 '17 at 18:43









                      KusalanandaKusalananda

                      131k17249408




                      131k17249408























                          3














                          Use the Match directive on a group instead of a user.
                          Then add the users to that group



                          Match Group users_with_no_ssh
                          PasswordAuthentication yes
                          AllowTCPForwarding yes
                          ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'





                          share|improve this answer



























                            3














                            Use the Match directive on a group instead of a user.
                            Then add the users to that group



                            Match Group users_with_no_ssh
                            PasswordAuthentication yes
                            AllowTCPForwarding yes
                            ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'





                            share|improve this answer

























                              3












                              3








                              3







                              Use the Match directive on a group instead of a user.
                              Then add the users to that group



                              Match Group users_with_no_ssh
                              PasswordAuthentication yes
                              AllowTCPForwarding yes
                              ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'





                              share|improve this answer













                              Use the Match directive on a group instead of a user.
                              Then add the users to that group



                              Match Group users_with_no_ssh
                              PasswordAuthentication yes
                              AllowTCPForwarding yes
                              ForceCommand /bin/echo 'We talked about this guys. No SSH for you!'






                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered Feb 12 '17 at 18:31









                              tomodachitomodachi

                              1413




                              1413





















                                  0














                                  Basically your syntax is wrong, you have:



                                  Match User bob, User joe, User phil


                                  But it should be



                                  Match User bob,joe,phil





                                  share|improve this answer



























                                    0














                                    Basically your syntax is wrong, you have:



                                    Match User bob, User joe, User phil


                                    But it should be



                                    Match User bob,joe,phil





                                    share|improve this answer

























                                      0












                                      0








                                      0







                                      Basically your syntax is wrong, you have:



                                      Match User bob, User joe, User phil


                                      But it should be



                                      Match User bob,joe,phil





                                      share|improve this answer













                                      Basically your syntax is wrong, you have:



                                      Match User bob, User joe, User phil


                                      But it should be



                                      Match User bob,joe,phil






                                      share|improve this answer












                                      share|improve this answer



                                      share|improve this answer










                                      answered Oct 9 '17 at 12:44









                                      m4rinosm4rinos

                                      101




                                      101





















                                          0














                                          I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):



                                          sshd_config



                                          # support, ansible & backup only from specific IP 
                                          Match User ansible,backup,support Address *,!176.x.x.x
                                          DenyUsers ansible,backup,support

                                          Match User backup
                                          AllowTcpForwarding yes
                                          AllowAgentForwarding yes
                                          PermitListen 127.0.0.1:2223
                                          AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD


                                          Testing configuration



                                          # sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                          denyusers root
                                          acceptenv RESTIC_REPOSITORY
                                          acceptenv RESTIC_PASSWORD
                                          permitlisten 127.0.0.1:2223

                                          # sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                          denyusers ansible,backup,support
                                          acceptenv RESTIC_REPOSITORY
                                          acceptenv RESTIC_PASSWORD
                                          permitlisten 127.0.0.1:2223


                                          Real world test



                                          Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0" 
                                          Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
                                          Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]





                                          share|improve this answer



























                                            0














                                            I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):



                                            sshd_config



                                            # support, ansible & backup only from specific IP 
                                            Match User ansible,backup,support Address *,!176.x.x.x
                                            DenyUsers ansible,backup,support

                                            Match User backup
                                            AllowTcpForwarding yes
                                            AllowAgentForwarding yes
                                            PermitListen 127.0.0.1:2223
                                            AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD


                                            Testing configuration



                                            # sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                            denyusers root
                                            acceptenv RESTIC_REPOSITORY
                                            acceptenv RESTIC_PASSWORD
                                            permitlisten 127.0.0.1:2223

                                            # sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                            denyusers ansible,backup,support
                                            acceptenv RESTIC_REPOSITORY
                                            acceptenv RESTIC_PASSWORD
                                            permitlisten 127.0.0.1:2223


                                            Real world test



                                            Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0" 
                                            Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
                                            Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]





                                            share|improve this answer

























                                              0












                                              0








                                              0







                                              I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):



                                              sshd_config



                                              # support, ansible & backup only from specific IP 
                                              Match User ansible,backup,support Address *,!176.x.x.x
                                              DenyUsers ansible,backup,support

                                              Match User backup
                                              AllowTcpForwarding yes
                                              AllowAgentForwarding yes
                                              PermitListen 127.0.0.1:2223
                                              AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD


                                              Testing configuration



                                              # sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                              denyusers root
                                              acceptenv RESTIC_REPOSITORY
                                              acceptenv RESTIC_PASSWORD
                                              permitlisten 127.0.0.1:2223

                                              # sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                              denyusers ansible,backup,support
                                              acceptenv RESTIC_REPOSITORY
                                              acceptenv RESTIC_PASSWORD
                                              permitlisten 127.0.0.1:2223


                                              Real world test



                                              Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0" 
                                              Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
                                              Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]





                                              share|improve this answer













                                              I'm not sure ForceCommand would work well with SFTP. Also, maybe it's better to see 'DenyUsers' word in logs. Anyway, I use this (well, maybe it would be better to use Group):



                                              sshd_config



                                              # support, ansible & backup only from specific IP 
                                              Match User ansible,backup,support Address *,!176.x.x.x
                                              DenyUsers ansible,backup,support

                                              Match User backup
                                              AllowTcpForwarding yes
                                              AllowAgentForwarding yes
                                              PermitListen 127.0.0.1:2223
                                              AcceptEnv RESTIC_REPOSITORY RESTIC_PASSWORD


                                              Testing configuration



                                              # sshd -T -C addr=176.x.x.x,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                              denyusers root
                                              acceptenv RESTIC_REPOSITORY
                                              acceptenv RESTIC_PASSWORD
                                              permitlisten 127.0.0.1:2223

                                              # sshd -T -C addr=8.8.4.4,user=backup | egrep '^((deny|allow)users|permitlisten|acceptenv)'
                                              denyusers ansible,backup,support
                                              acceptenv RESTIC_REPOSITORY
                                              acceptenv RESTIC_PASSWORD
                                              permitlisten 127.0.0.1:2223


                                              Real world test



                                              Jan 29 16:50:12 mx1 sshd[71309]: Connection from 199.x.x.x port 21042 on 199.x.x.x port 2222 rdomain "0" 
                                              Jan 29 16:50:13 mx1 sshd[71309]: User support from 199.x.x.x not allowed because listed in DenyUsers
                                              Jan 29 16:50:13 mx1 sshd[71309]: Connection closed by invalid user support 199.x.x.x port 21042 [preauth]






                                              share|improve this answer












                                              share|improve this answer



                                              share|improve this answer










                                              answered Jan 29 at 21:53









                                              Jiri BJiri B

                                              135




                                              135



























                                                  draft saved

                                                  draft discarded
















































                                                  Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                                  • Please be sure to answer the question. Provide details and share your research!

                                                  But avoid


                                                  • Asking for help, clarification, or responding to other answers.

                                                  • Making statements based on opinion; back them up with references or personal experience.

                                                  To learn more, see our tips on writing great answers.




                                                  draft saved


                                                  draft discarded














                                                  StackExchange.ready(
                                                  function ()
                                                  StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f344444%2fmatch-multiple-users-in-sshd-config%23new-answer', 'question_page');

                                                  );

                                                  Post as a guest















                                                  Required, but never shown





















































                                                  Required, but never shown














                                                  Required, but never shown












                                                  Required, but never shown







                                                  Required, but never shown

































                                                  Required, but never shown














                                                  Required, but never shown












                                                  Required, but never shown







                                                  Required, but never shown






                                                  Popular posts from this blog

                                                  How to check contact read email or not when send email to Individual?

                                                  Displaying single band from multi-band raster using QGIS

                                                  How many registers does an x86_64 CPU actually have?