SSH ACL: Allowing users and groups

Discussion in 'Shell / Command Line' started by Eric Hansen, Oct 17, 2013.

  1. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Jul 23, 2013
    Likes Received:
    SSH is pretty much the de facto method of connecting to a remote machine these days when said machine is running something other than Windows. The fact that its fast, secure (for the most part) and withstood the test of time has really given it the stamp of approval for every new installation. But what about having control over who can even connect? Sure you can use or create a PAM module to do this, adding extra overhead to SSH and making life more difficult for yourself, your can let SSH handle it on its own.

    This isn’t exactly a sane method for servers that have a large amount of users connecting to it. I remember working on servers who set up ACL this way and it was horrid when there were 5 entries full of different usernames. That is why I’m going to cover two ways of doing the same thing here (you’ll thank me when you have to administrate 100 different users on the same server for SSH access).

    Set Up
    There really isn’t much that needs to be done. Both steps require editing /etc/ssh/sshd_config (or whatever your server config file is) then restarting SSH after the changes have been made.

    This is the first option and is great if you don’t plan on having a lot of people connect to the server. When set it’ll check the provided username against the list of users specified, and if its not found it denies the request.

    While easy to set up, it can quickly become horrid to maintain. Not only do you have to edit the line each time you want to let a new user connect or stop an old user from it, but you can quickly have a long string of usernames to maintain. This also adds more overhead for SSH for each connection request because it has to filter through the list of valid users.

    The second option, which to me should always be the go-to route to begin with. It acts the same as AllowUsers but instead of checking the username it checks the user’s group(s) which, since /etc/shadow and /etc/groups data is cached makes looking up almost any user’s groups speedy.

    Another benefit to this is ease of management. You don’t have to sift through a long string of usernames and can easily add or remove users instantly via usermod without even having to restart SSH.

    Using Both
    While I personally recommend it, you can use AllowUsers and AllowGroups in conjunction with each other. In the case of using both, SSH will only allow the users specified that are also a part of the specified group(s).

    The reasons why I suggest not doing this though are:
    • Its easy to forget the above way it works at 3 AM when you’re just waking up to deal with a security breach
    • Since in the end it's based heavily on the groups the extra overhead doesn’t seem worth it
    • The config file can look clunky and make it harder to adjust settings in the future

    Attached Files:

Share This Page