Return to Question

For some reason, restrictions are no longer being applied for SSH. I can login as any users and choose any authentication method. I have created a test user and test user is not in the allow list but can still login login as any users and with any authentication method.

Rules were enforced before but now have stopped. It's happening on an AlmaLinux 8 system.

Here's what is in place:

PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no

Match User nagios
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User meta
    PasswordAuthentication yes
    PubkeyAuthentication yes

Match User yubi Address 10.10.0.201/32
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowUsers yubi

Match Address 10.10.0.0/24
        AllowUsers meta

Match Address 22.22.22.22
        AllowUsers nagios

Problem is occurring on AlmaLinux 9 also. It seems user override no longer works. Here's the complete entry in my AlmaLinux 9 file /etc/ssh/sshd_config.d/sshd_custom_rules.conf

## Custom SSH rules
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no

#Match Address 192.168.68.0/22
#    AllowUsers autoit repository-admin

Match User autoit
    PasswordAuthentication yes
    PubkeyAuthentication no

Match User repository-admin
    PasswordAuthentication no
    PubkeyAuthentication yes

The main sshd_config is set to the default. The uncommented lines are as below.

Include /etc/ssh/sshd_config.d/*.conf
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Here's the content in the file /etc/ssh/sshd_config.d/50-redhat.conf

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

If I remove the user from the config file, they are unable to login. Once enabled, the user is able to access with all authentication method despite only granting them PubkeyAuthentication or PasswordAuthentication.

For some reason, restrictions are no longer being applied for SSH. I can login as any users and choose any authentication method. I have created a test user and test user is not in the allow list but can still login login as any users and with any authentication method.

Rules were enforced before but now have stopped. It's happening on an AlmaLinux 8 system.

Here's what is in place:

PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no

Match User nagios
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User meta
    PasswordAuthentication yes
    PubkeyAuthentication yes

Match User yubi Address 10.10.0.201/32
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowUsers yubi

Match Address 10.10.0.0/24
        AllowUsers meta

Match Address 22.22.22.22
        AllowUsers nagios

Problem is occurring on AlmaLinux 9 also. It seems user override no longer works. Here's the complete entry in my AlmaLinux 9 file /etc/ssh/sshd_config.d/sshd_custom_rules.conf

## Custom SSH rules
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no

Match Address 192.168.68.0/22
    AllowUsers yubi repository-admin

Match User yubi
    PasswordAuthentication yes
    PubkeyAuthentication no

Match User repository-admin
    PasswordAuthentication no
    PubkeyAuthentication yes

The main sshd_config is set to the default. The uncommented lines are as below.

Include /etc/ssh/sshd_config.d/*.conf
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Here's the content in the file /etc/ssh/sshd_config.d/50-redhat.conf

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

If I remove the user from the config file, they are unable to login. Once enabled, the user is able to access with all authentication method despite only granting them PubkeyAuthentication or PasswordAuthentication.

For some reason, restrictions are no longer being applied for SSH. I can login as any users and choose any authentication method. I have created a test user and test user is not in the allow list but can still login login as any users and with any authentication method.

Rules were enforced before but now have stopped. It's happening on an AlmaLinux 8 system.

Here's what is in place:

PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no

Match User nagios
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User meta
    PasswordAuthentication yes
    PubkeyAuthentication yes

Match User yubi Address 10.10.0.201/32
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowUsers yubi

Match Address 10.10.0.0/24
        AllowUsers meta

Match Address 22.22.22.22
        AllowUsers nagios

Problem is occurring on AlmaLinux 9 also. It seems user override no longer works.

## Custom SSH rules
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no

#Match Address 192.168.68.0/22
#    AllowUsers autoit repository-admin

Match User autoit
    PasswordAuthentication yes
    PubkeyAuthentication no

Match User repository-admin
    PasswordAuthentication no
    PubkeyAuthentication yes

The main sshd_config is set to the default as below:

Include /etc/ssh/sshd_config.d/*.conf
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server

If I remove the user from the config file, they are unable to login. Once enabled, the user is able to access with all authentication method despite only granting them PubkeyAuthentication or PasswordAuthentication.

For some reason, restrictions are no longer being applied for SSH. I can login as any users and choose any authentication method. I have created a test user and test user is not in the allow list but can still login login as any users and with any authentication method.

Rules were enforced before but now have stopped. It's happening on an AlmaLinux 8 system.

Here's what is in place:

PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no

Match User nagios
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User meta
    PasswordAuthentication yes
    PubkeyAuthentication yes

Match User yubi Address 10.10.0.201/32
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowUsers yubi

Match Address 10.10.0.0/24
        AllowUsers meta

Match Address 22.22.22.22
        AllowUsers nagios

Problem is occurring on AlmaLinux 9 also. It seems user override no longer works. Here's the complete entry in my AlmaLinux 9 file /etc/ssh/sshd_config.d/sshd_custom_rules.conf

## Custom SSH rules
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no

#Match Address 192.168.68.0/22
#    AllowUsers autoit repository-admin

Match User autoit
    PasswordAuthentication yes
    PubkeyAuthentication no

Match User repository-admin
    PasswordAuthentication no
    PubkeyAuthentication yes

The main sshd_config is set to the default. The uncommented lines are as below.

Include /etc/ssh/sshd_config.d/*.conf
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Here's the content in the file /etc/ssh/sshd_config.d/50-redhat.conf

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

If I remove the user from the config file, they are unable to login. Once enabled, the user is able to access with all authentication method despite only granting them PubkeyAuthentication or PasswordAuthentication.

For some reason, restrictions are no longer being applied for SSH. I can login as any users and choose any authentication method. I have created a test user and test user is not in the allow list but can still login login as any users and with any authentication method.

Rules were enforced before but now have stopped. It's happening on an AlmaLinux 8 system.

Here's what is in place:

PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no

Match User nagios
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User meta
    PasswordAuthentication yes
    PubkeyAuthentication yes

Match User yubi Address 10.10.0.201/32
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowUsers yubi

Match Address 10.10.0.0/24
        AllowUsers meta

Match Address 22.22.22.22
        AllowUsers nagios

For some reason, restrictions are no longer being applied for SSH. I can login as any users and choose any authentication method. I have created a test user and test user is not in the allow list but can still login login as any users and with any authentication method.

Rules were enforced before but now have stopped. It's happening on an AlmaLinux 8 system.

Here's what is in place:

PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no

Match User nagios
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User meta
    PasswordAuthentication yes
    PubkeyAuthentication yes

Match User yubi Address 10.10.0.201/32
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowUsers yubi

Match Address 10.10.0.0/24
        AllowUsers meta

Match Address 22.22.22.22
        AllowUsers nagios

Problem is occurring on AlmaLinux 9 also. It seems user override no longer works.

## Custom SSH rules
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no

#Match Address 192.168.68.0/22
#    AllowUsers autoit repository-admin

Match User autoit
    PasswordAuthentication yes
    PubkeyAuthentication no

Match User repository-admin
    PasswordAuthentication no
    PubkeyAuthentication yes

The main sshd_config is set to the default as below:

Include /etc/ssh/sshd_config.d/*.conf
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server

If I remove the user from the config file, they are unable to login. Once enabled, the user is able to access with all authentication method despite only granting them PubkeyAuthentication or PasswordAuthentication.