1

Requirement

  • ssh-jailed access restrict all groups, but allow one group.

login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.
By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others.
But - if a user part of two or multiple groups - allow login to only where the group is allowed.

Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way

  • user part of GP324911, GP9e68ea-- allows login to VM-GP324911 or VM-GP9e68ea.

Two questions -

  • It stops working, if I move allowing match block below deny match block, like below, then it will stop allowing access in VM-GP324911 for Group GP324911
Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes
  • We tried with deny groups and allow groups, it didn't work. Any other way of doing this.
Improve this question
2
  • Is it possible for a user to be in more than one of these groups? Can a user be in group GP324911 and also one of the other groups? Commented Oct 18, 2023 at 13:19
  • yes, definately its possible. users in GP324911 --- login to VM-GP324911 users in GP9e68ea --- login to VM-GP9e68ea Commented Oct 18, 2023 at 13:22

1 Answer 1

Reset to default
2

In the sshd_config file, each option (with a few exceptions not relevant here) only applies the first time that option is seen. If you have two match sections:

Match something...
    PasswordAuthentication yes

Match something else...
    PasswordAuthentication no

A user who matches both sections will end up with "yes" for the option, because that one came first.

In your case, it seems the "Match Group GP324911" section should come first, so that those options apply to any user in that group:

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

After that, you could add your "Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,etc" section with the options set to "no" if you like. Or you could just do this:

Match all
  PasswordAuthentication no
  PubkeyAuthentication no

This will match everyone, even members of GP324911. But the options won't be applied to GP324911 members because the options were already set for those users by the first match section.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.