SSHD AllowGroups，通过组控制访问

Question

我和SSHD在ubuntu上有个问题。我试图通过使用AllowGroups来限制可以远程登录的帐户，从而在SSH服务器上提供更健壮的安全性。不幸的是，似乎未在允许的组中的用户仍然可以登录并发出命令。

我正在使用: OpenSSH_6.6.1p1 Ubuntu-2 ubuntu2.3，OpenSSL 1.0.1f 2014年1月6日

我在/etc/ssh/sshd_config中添加了以下几行

AllowGroups ssh

DenyGroups *

我创建了两个用户帐户

$ id test1
uid=1002(test1) gid=1003(test1) groups=1003(test1),113(ssh)
$ id test2
uid=1003(test2) gid=1004(test2) groups=1004(test2)

用户test2仍然可以从远程终端进行ssh。

当我测试sshd服务器配置时，它似乎包括组ssh的AllowGroups设置。

$ sudo /usr/sbin/sshd -T

port 22
protocol 2
addressfamily any
listenaddress 0.0.0.0:22
listenaddress [::]:22
usepam 1
serverkeybits 1024
logingracetime 120
keyregenerationinterval 3600
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
permitrootlogin without-password
ignorerhosts yes
ignoreuserknownhosts no
rhostsrsaauthentication no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
rsaauthentication yes
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapikeyexchange no
gssapicleanupcredentials yes
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd no
printlastlog yes
x11forwarding yes
x11uselocalhost yes
permittty yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
permituserenvironment no
uselogin no
compression delayed
gatewayports no
usedns yes
allowtcpforwarding yes
useprivilegeseparation yes
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
macs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
versionaddendum 
kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
loglevel INFO
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_dsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowgroups ssh
denygroups
acceptenv LANG
acceptenv LC_*
authenticationmethods
subsystem sftp /usr/lib/openssh/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos lowdelay throughput
rekeylimit 0 0
permitopen any

我对AllowGroups功能的理解是否不正确？我有冲突的背景吗？有人有我学习的sshd_config与AllowGroups一起工作的例子吗？谢谢。

Answer 1

您可以在PAM模块pam_listfile中完成同样的任务。

auth    required       pam_listfile.so \
        onerr=fail item=group sense=allow file=/etc/logingroups

这意味着只允许/etc/logingroups中列出的组在服务器上进行身份验证。查看其手册页：listfile