-
-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AllowGroups instead of AllowUsers in the SSH daemon? #165
Comments
Thanks for sharing @vivvvi One thing I hadn't considered when you mentioned this on Discord is IP restrictions. To simplify IP restrictions, we use the SSH daemon for this (instead of e.g. hosts file or UFW firewall rules):
If we wanted to support IP restrictions per sudo group, I think we need to use a Match block: Ref: https://unix.stackexchange.com/questions/334566/using-allowgroups-and-restrict-by-ip-address I don't really like Match blocks as I think it complicates the SSH daemon, esp. since we are already using a chroot block for the SFTP user on SlickStack. Will probably need to consider all of this and see if it's possible.
Ref: https:/littlebizzy/slickstack/blob/master/modules/ubuntu/22.04/sshd-config.txt Anyway, I'm guessing your agency does not even use SFTP access at all, which is why you do that approach? Or, do you use another group for allowing SFTP access only? |
By the way, we might also need to revise groups in By default Ubuntu has @sudo and @admin groups... just mentioning this here to remember later. Ref: https:/littlebizzy/slickstack/blob/master/modules/ubuntu/sudoers.txt |
change request:
slickstack by default uses AllowUsers whereas in a multi user / groups linux environment AllowGroups is essential, and in my opinion more desirable for everyone.
my configuration:
In our environment we have a group called ssh-users and users that are allowed to login added to the group.
so.. in /etc/ssh/sshd_config
the line for AllowUsers I replace with
AllowGroups ssh-users
The text was updated successfully, but these errors were encountered: