Hello dear community, I have created a few users on the ISPC server who should have administrative access. Furthermore, I have created quite a few SSH users within ISPconfig, all of which are only allowed to access a JailKit environment. I would now like to restrict access in sshd_config to the two groups mentioned above. In other words: ‘admin1’, ‘admin2’ and 'admin3’ have administrative access and are in the ‘admins’ group. ‘client1’, 'client2' and 'client3' are users that are created in ISPconfig. How can I implement this restriction in the sshd_config? I would like to avoid having to maintain all users individually in sshd_config. For example as follows: Code: AllowUsers admin1 admin2 admin3 client1 client2 client3 As far as I know, the ISPconfig SSH users are not bundled in a group (f.e. 'sshusers'), which would make the configuration in sshd_config easier for me. For example, simply per: Code: AllowGroups admins sshusers Are there any alternatives or best practices?
any ssh users you create in ispconfig are automatically added to the sshusers group but they are web1, web2 or whatever username you pick for them.. not client1, client2 etc. clients do not get an individual ssh login in ispconfig, the ispconfig client logins, client1, client2 are groups in the OS. the web# id's are the individual user accounts, and are separate for each website.
Thank you for your feedback, nhybgtvfr. You are absolutely right. Admittedly, it was a stupid idea of mine to use ‘clientX’ as an example for the SSH users, as this obviously led to overlaps and confusion with the naming for clients in ISPconfig. I know what you mean - I meant it that way too. I was unsure because the SSH users are created as aliases for the ‘webX’ users. I suspected that this was the cause of the failed login. It turned out that it wasn't my sshd_config at all that was blocking access, but a misconfiguration in Jailkit. After fixing that, I was able to restrict access in sshd_config using ‘AllowGroups sshadmins sshusers’ and everything works perfectly. Thanks again for nudging me in the right direction.
