Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- This is an overview of sshd_config tests being performed as part of [this post](https://askubuntu.com/questions/649796/allow-specified-ssh-to-connect-only-from-one-ip-or-hostnme/649798?noredirect=1#comment933325_649798
- ). In an effort to block the `test` user from being able to be connect to from any server except the one specified.
- ## Versioning
- * Ubuntu 14.04
- * OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
- ## Context
- Testing a username of test on host 10.1.0.3 which is also specified as bob.programster.org in the /etc/hosts file of the server being logged into.
- ### Unexpected Behaviour
- When being denied permission in most of the cases below, instead of getting "permission denied" when trying to connect, you will be asked for your password several times, and you will be rejected after your third attempt, making you think your password was incorrect when actually you are just being denied.
- ## Test Cases
- ### Block Placement
- Using from just underneath `PasswordAuthentication yes`
- ```
- Match Host *
- DenyUsers test
- Match Host 10.1.0.3
- AllowUsers test
- ```
- This results in not being able to SSH in from anywhere with any account.
- **The rest of the tests are with the block placed at the end of the config.**
- ### Using Provided Solution
- Using the same config, but at the end of the file.
- ```
- Match Host *
- DenyUsers test
- Match Host 10.1.0.3
- AllowUsers test
- ```
- Result:
- * Can log into non-test user on 10.1.0.3, but not `test` user. (Need to log in as test user. Nice if still able to log into other accounts from this server but not necesary)
- * Can log into non-test user on any server, but not `test` user. (This part is desired)
- ### Using Hostname with Address
- ```
- Match Address *
- DenyUsers test
- Match Address bob.programster.org
- AllowUsers test
- ```
- Result:
- * Can log into non-test user on 10.1.0.3, but not `test` user. (Need to log in as test user. Nice if still able to log into other accounts from this server but not necesary)
- * Can log into non-test user on any server, but not `test` user. (This part is desired)
- ### Using Hostname with Host
- ```
- Match Host *
- DenyUsers test
- Match Host bob.programster.org
- AllowUsers test
- ```
- Result:
- * Can't log into **any** account on 10.1.0.3, but can log in as non-test user on any other server.
- ### Using Address Instead of Host
- ```
- Match Address *
- DenyUsers test
- Match Address 10.1.0.3
- AllowUsers test
- ```
- Result:
- * Can't log into **any** account on 10.1.0.3, but can log in as non-test user on any other server.
- ### Mixed Address and Host
- ```
- Match Address *
- DenyUsers test
- Match Host bob.programster.org
- AllowUsers test
- ```
- Result:
- * Can't log into **any** account on 10.1.0.3, but can log in as non-test user on any other server.
- ### Mixed Address and Host 2
- ```
- Match Host *
- DenyUsers test
- Match Address 10.1.0.3
- AllowUsers test
- ```
- Result:
- * Can't log into **any** account on 10.1.0.3, but can log in as non-test user on any other server.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement