OpenSSH DenyUsers negate

langeman · July 26, 2023, 3:19pm

Hi all,

Am I missing something? According to the man pages this should work:

cat /etc/ssh/sshd_config.d/01-permitrootlogin.conf
PermitRootLogin yes
DenyUsers root@!192.168.1.1

Allow root login but ONLY when it’s not from 192.168.1.2. Well, that’s not working…

However, changing the configuration will make it work:

PermitRootLogin yes
DenyUsers root@*,!192.168.1.2

Am I misreading the man pages or is this a bug, for a long time there…?

langeman

hcvv · July 26, 2023, 3:57pm

Hello and welcome to the openSUSE forums.

Sorry, but saying “it does (not) work” is not something that tells much in a computer environment.

You should explain

what you did (and we have only some configurations, but you did not tell what you did);
what happened (this is missing complete);
what you expected to happen (this is also missing).

So we can only guess what you mean with “working”. And guessing from this side will probably lead to misunderstandings and bad advice.

Oh, and please select you pieces of computer text and then hit the </> button in the tool bar of the post editor. That will make the computer text much more readable and understandable.

404_UsernameNotFound · July 26, 2023, 4:14pm

Hi,
from how I understand the syntax I would have said that in

There is a lack of the ips that you exclude 192.168.1.1 from.
So, the * (any ip) as in your second example.

Instead of the

I would have put a space. Does it work with a space instead?

awerlang · July 26, 2023, 4:21pm

Yes, you are misreading man pages. Check out man ssh_config again, it’s pretty definitive.

langeman · July 26, 2023, 4:47pm

OK, some more clarification:

I was expecting user root root can only login from 192.168.1.1. Well, logging in from another IP-address is possible also:

ssh 127.0.0.1 'whoami'
root

But Busy Penquin was right, it’s in the man 5 ssh_config:

…the following pattern list will fail: from=“!host1,!host2”
…
The solution here is to include a term that will yield a positive match,
such as a wildcard: from=“!host1,!host2,*”

Hence: this one also works:

DenyUsers root@!10.19.69.0/24,*

Logging in from localhost will now result into:

journalctl -l -u sshd.service
User root from 127.0.0.1 not allowed because listed in DenyUsers

And to make it all complete I changed the config to:

DenyUsers root@!192.168.122.1,!127.0.0.1,!::1,*

So, great, it’s working; thanks for the help.

langeman

langeman · July 26, 2023, 4:48pm

Yep, you’re right. Thanks for the hint, see my other response earlier.