sshd behaviour.

Discussion in 'Server Operation' started by keybd_user, Aug 20, 2006.

  1. keybd_user

    keybd_user Member

    Hi,

    I have seen something on my sshd operation that I was not counting on.
    It is really not a problem.
    But maybe it is better to share with everyone this behaviour.

    I had, as everybody should:

    PermitRootLogin no

    Also I have defined all deamons and system created users as DenyUsers.

    And them made some AllowUsers, the normal login folks to my server.

    My surprise is that reading the man pages it is not aparent that in this type of configuration the message that apears in my logs when those nasty folks out there try to log as root is:
    Aug 20 18:56:48 xxxxx sshd[xxxx]: User root from 202.100.244.37 not allowed because not listed in AllowUsers

    !?

    In fact root is obviously not listed on the AllowUsers.
    But this should not be the eliminating loggin "parameter".
    He is not PermitRootLogin.

    Is this a "normal" sshd behaviour under the above config?
    I tried with other user not listed on the AllowUsers and the log is the same.
    ... not listed in the AloowUsers.

    I think this means that every user created must be listed or will not have a ssh access.

    Regards,
    Pedro
     
  2. themachine

    themachine New Member HowtoForge Supporter

    If you use the 'AllowUser' directive, only those users will be allowed to SSH directly. This does not mean that you can not SSH in with a regular user, and then 'su -' to root. Any user that should have SSH access will need to be listed in this directive.

    I think that is what you are asking... but maybe not. If you are saying that root should be denied becuase of 'AllowDirectoRootLogin no', then maybe try moving the 'AllowDirectRootLogin' higher in the config file so that it is above the AllowUser directive (and possibly therefore read first).... not sure what difference that might make.
     
  3. keybd_user

    keybd_user Member

    Hi,

    Exactly my point.
    The AllowUsers and the DenyUSers are both exclusion conditions.
    Actually that is extremelly well programmed.

    What you mention is my point exactly, PermitRooLogin no is before all of the Allow/DenyUsers.
    But that is really not a problem as the result is the same, only the log messages change.

    And I have seen the data structures of sshd concerning configuration parameters (in servconf.h and servconf.c) and I did not see AllowDirectRootLogin :confused:
    grepping the openssh source dir for AllowDirectRootLogin does not return any result.

    Regards,
    Pedro
     

Share This Page