0

For some reason, restrictions are no longer being applied for SSH. I can login as any users and choose any authentication method. I have created a test user and test user is not in the allow list but can still login login as any users and with any authentication method.

Rules were enforced before but now have stopped. It's happening on an AlmaLinux 8 system.

Here's what is in place:

PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no

Match User nagios
    PasswordAuthentication no
    PubkeyAuthentication yes

Match User meta
    PasswordAuthentication yes
    PubkeyAuthentication yes

Match User yubi Address 10.10.0.201/32
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowUsers yubi

Match Address 10.10.0.0/24
        AllowUsers meta

Match Address 22.22.22.22
        AllowUsers nagios

Problem is occurring on AlmaLinux 9 also. It seems user override no longer works. Here's the complete entry in my AlmaLinux 9 file /etc/ssh/sshd_config.d/sshd_custom_rules.conf

## Custom SSH rules
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no

Match Address 192.168.68.0/22
    AllowUsers yubi repository-admin

Match User yubi
    PasswordAuthentication yes
    PubkeyAuthentication no

Match User repository-admin
    PasswordAuthentication no
    PubkeyAuthentication yes

The main sshd_config is set to the default. The uncommented lines are as below.

Include /etc/ssh/sshd_config.d/*.conf
Port 22
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Here's the content in the file /etc/ssh/sshd_config.d/50-redhat.conf

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

If I remove the user from the config file, they are unable to login. Once enabled, the user is able to access with all authentication method despite only granting them PubkeyAuthentication or PasswordAuthentication.

Improve this question
4
  • Your configuration does not seem to stop a user called test from connecting if they connect from an IP address that isn't matched with a Match Address rule. What IP address are they connecting from? Commented Sep 6, 2023 at 5:14
  • Same as nagios which is rather odd since user is not even there. I tried looking around for an AllowUsers outside of the block but none found. Commented Sep 6, 2023 at 9:31
  • ....implying that you've not provided the whole sshd_config here. Commented Sep 6, 2023 at 9:57
  • There's not much else in the sshd_config. I have added the lines that are not commented. Commented Oct 1, 2023 at 14:03

1 Answer 1

Reset to default
0

In order to disable password authentication, ChallengeResponseAuthentication needs to be set as no.

Improve this answer
2
  • 1
    Note that the option you mention is deprecated and that you should use KbdInteractiveAuthentication instead. Commented Oct 1, 2023 at 16:47
  • I've updated it to KbdInteractiveAuthentication and it is working also Commented Oct 2, 2023 at 13:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.