2

I want to deny access to a single user (test1 ) from ip - 192.168.122.16. So this is what I have added the following line in /etc/ssh/sshd_config

DenyUsers test1@192.168.122.16

Then have restarted sshd after making changes to the sshd_config. But after this change in the conf file all the users from that IP after getting a permission denied message. Instead I want to deny access only to a single user 'test1'.

sshd_config man pages states as follows:

DenyUsers

This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

I am particularly intereted in restricting only the user 'test1' from the above IP. But I am ok with the user doing a login from a diffirent IP. Anything I am missing here ?

Community
  • 1
linxsaga
  • 41
  • 1
  • 5
  • DenyUsers test1@192.168.122.16 Are you sure that 192.168.122.16 is the address that the destination server "sees"? Sometimes the connection comes over another interface or a NAT. –  Oct 09 '14 at 11:53

1 Answers1

1

Thats the way it works, I've just tested it myself on a RHEL6 server here, all I added to was:

/etc/sshd/sshd_config:

DenyUsers sirch@www.xxx.yyy.zzz

And now only sirch is unable to login only from that address. Sirch can log in from other addresses, and everyone else can log in from all addresses including that one.

Is it possible something else changed?

Sirch
  • 5,697
  • 4
  • 19
  • 36
  • Hi, I have the same setup but it does not work like that for me. How can I debug it further ? Is the user (sirch) been made part of any other group or settings ? Or should the DenyUsers be put in an apt place in the conf file ? – linxsaga Jun 14 '12 at 11:42
  • Watch /var/log/secure `Jun 14 13:35:17 rhel6svr sshd[10143]: User sirch from www.xxx.yyy.zzz not allowed because listed in DenyUsers – Sirch Jun 14 '12 at 12:37