SSHD AllowGroups,控制组

时间:2015-09-30 18:30:21

标签: linux security sshd

我在ubuntu上遇到SSHD问题。我试图通过使用AllowGroups来限制可以远程登录的帐户,从而在SSH服务器上提供更强大的安全性。不幸的是,似乎不在允许组中的用户仍然可以登录并发出命令。

我正在使用: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3,OpenSSL 1.0.1f 2014年1月6日

我已将以下行添加到/etc/ssh/sshd_config 

AllowGroups ssh

DenyGroups *

我创建了两个用户帐户

$ id test1
uid=1002(test1) gid=1003(test1) groups=1003(test1),113(ssh)
$ id test2
uid=1003(test2) gid=1004(test2) groups=1004(test2)

用户test2仍然可以从远程终端ssh。

当我测试sshd服务器配置时,它似乎包含组AllowGroups的{​​{1}}设置

ssh

我对$ sudo /usr/sbin/sshd -T port 22 protocol 2 addressfamily any listenaddress 0.0.0.0:22 listenaddress [::]:22 usepam 1 serverkeybits 1024 logingracetime 120 keyregenerationinterval 3600 x11displayoffset 10 maxauthtries 6 maxsessions 10 clientaliveinterval 0 clientalivecountmax 3 permitrootlogin without-password ignorerhosts yes ignoreuserknownhosts no rhostsrsaauthentication no hostbasedauthentication no hostbasedusesnamefrompacketonly no rsaauthentication yes pubkeyauthentication yes kerberosauthentication no kerberosorlocalpasswd yes kerberosticketcleanup yes gssapiauthentication no gssapikeyexchange no gssapicleanupcredentials yes gssapistrictacceptorcheck yes gssapistorecredentialsonrekey no passwordauthentication yes kbdinteractiveauthentication no challengeresponseauthentication no printmotd no printlastlog yes x11forwarding yes x11uselocalhost yes permittty yes strictmodes yes tcpkeepalive yes permitemptypasswords no permituserenvironment no uselogin no compression delayed gatewayports no usedns yes allowtcpforwarding yes useprivilegeseparation yes pidfile /var/run/sshd.pid xauthlocation /usr/bin/xauth ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com macs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com versionaddendum kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org loglevel INFO syslogfacility AUTH authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2 hostkey /etc/ssh/ssh_host_rsa_key hostkey /etc/ssh/ssh_host_dsa_key hostkey /etc/ssh/ssh_host_ecdsa_key hostkey /etc/ssh/ssh_host_ed25519_key allowgroups ssh denygroups acceptenv LANG acceptenv LC_* authenticationmethods subsystem sftp /usr/lib/openssh/sftp-server maxstartups 10:30:100 permittunnel no ipqos lowdelay throughput rekeylimit 0 0 permitopen any 功能的理解不正确吗?我的设置是否有冲突?有没有人有我学习的AllowGroups sshd_config工作的例子?感谢。

1 个答案:

答案 0 :(得分:0)

您可以使用PAM模块pam_listfile完成相同的操作。 

auth    required       pam_listfile.so \
        onerr=fail item=group sense=allow file=/etc/logingroups

这意味着只允许/ etc / logingroups中列出的组在服务器中进行身份验证。 查看其手册页:http://linux.die.net/man/8/pam_listfile

相关问题
最新问题