Skip to main content
Unix & Linux

Return to Question

added 15 characters in body
Source Link
Indranil
Indranil
  • 27
  • 1
  • 6

Requirement

  • ssh-jailed access restrict all groups, but allow one group.

login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.
By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea, GPea7899 -- allows login.
  • If i hash line Match Group GP324911 to VM-GP324911 or VM- the login stops workingGP9e68ea.

Two questions -

  • It stops working when i, if I move theallowing match block Match Group GP324911 below deny match block, like below, then it will stop allowing access in VM-GP324911 for Group GP324911
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.

Requirement

  • ssh-jailed access restrict all groups, but allow one group.

login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.
By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea, GPea7899 -- allows login.
  • If i hash line Match Group GP324911 -- the login stops working.

Two questions -

  • It stops working when i move the block Match Group GP324911 below -
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.

Requirement

  • ssh-jailed access restrict all groups, but allow one group.

login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.
By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea-- allows login to VM-GP324911 or VM-GP9e68ea.

Two questions -

  • It stops working, if I move allowing match block below deny match block, like below, then it will stop allowing access in VM-GP324911 for Group GP324911
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.
added 15 characters in body
Source Link
Indranil
Indranil
  • 27
  • 1
  • 6

Requirement

  • ssh-jailed access restrict all groups, but allow one group login to VM-GP324911 for users in GP324911, deny others. login to VM-GP9e68e for users in GP9e68ea, deny others. login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, access or login should work based on group assigned to that VM.


login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.
By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea, GPea7899 -- allows login.
  • If i hash line Match Group GP324911 -- the login stops working.

Two questions -

  • It stops working when i move the block Match Group GP324911 below -
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.

Requirement

  • ssh-jailed access restrict all groups, but allow one group login to VM-GP324911 for users in GP324911, deny others. login to VM-GP9e68e for users in GP9e68ea, deny others. login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, access or login should work based on group assigned to that VM.

By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea, GPea7899 -- allows login.
  • If i hash line Match Group GP324911 -- the login stops working.

Two questions -

  • It stops working when i move the block Match Group GP324911 below -
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.

Requirement

  • ssh-jailed access restrict all groups, but allow one group.

login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.
By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea, GPea7899 -- allows login.
  • If i hash line Match Group GP324911 -- the login stops working.

Two questions -

  • It stops working when i move the block Match Group GP324911 below -
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.
added 4 characters in body
Source Link
Indranil
Indranil
  • 27
  • 1
  • 6

Requirement

  • ssh-jailed access restrict all groups, but allow one group login to VM-GP324911 for users in GP324911, deny others. login to VM-GP9e68e for users in GP9e68ea, deny others. login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, access or login should work based on group assigned to that VM.

By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works thisabove way - user part of GP324911, GP9e68ea, GPea7899 -- allows login. If i hash line Match Group GP324911 -- the login stops working.

  • user part of GP324911, GP9e68ea, GPea7899 -- allows login.
  • If i hash line Match Group GP324911 -- the login stops working.

Two questions -

  • It stops working when i move the block Match Group GP324911 below -
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.

Requirement

  • ssh-jailed access restrict all groups, but allow one group
By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works this way - user part of GP324911, GP9e68ea, GPea7899 -- allows login. If i hash line Match Group GP324911 -- the login stops working.

Two questions -

  • It stops working when i move the block Match Group GP324911 below -
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.

Requirement

  • ssh-jailed access restrict all groups, but allow one group login to VM-GP324911 for users in GP324911, deny others. login to VM-GP9e68e for users in GP9e68ea, deny others. login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, access or login should work based on group assigned to that VM.

By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea, GPea7899 -- allows login.
  • If i hash line Match Group GP324911 -- the login stops working.

Two questions -

  • It stops working when i move the block Match Group GP324911 below -
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.
Source Link
Indranil
Indranil
  • 27
  • 1
  • 6