{ 19 comments… read them below or add one }

1 Planet Malaysia August 3, 2006 at 3:56 am

Weird! I added “account required pam_access.so” into “/etc/pam.d/sshd” and modify “/etc/security/access.conf” to
“-:ALL EXCEPT root:10.10.10.12″ but I still managed ssh login from other IP Address(e.g: 10.10.10.2, 10.10.10.3)

Reply

2 Planet Malaysia August 3, 2006 at 4:53 am

I found a solution:
vi /etc/security/access.conf and added this 2 lines
- : root : ALL
+ : root : 10.10.10.52.
and save.

Reply

3 jeremiah August 30, 2006 at 2:02 pm

You state that one should edit /etc/pam.d/sshd to enable the access.conf file. But this is not really what you should advise. What you should say is that one has to edit /etc/pam.d/ssh and add a line forcing usage of /etc/security/access.conf. If one just hacks on /etc/pam.d/sshd then anyone can still login since you have not configured PAM access.conf!

Reply

4 jeremiah August 30, 2006 at 2:03 pm

You have to modify /etc/pam.d/ssh not /etc/pam.d/sshd

Reply

5 nixCraft August 30, 2006 at 2:31 pm

The file name changes from one Linux distro to another. So it may be ssh or sshd.

Reply

6 Matthew Feinberg October 3, 2006 at 6:26 pm

That’s because pam_access scans access.conf for the first entry that matches the (user, host) combination. Your line does not match any address except 10.10.10.12, so you have denied all users except root from logging in from 10.10.10.12. The line does not effect connections from any other host.

Reply

7 Thorne Lawler January 14, 2009 at 2:52 am

How should this (fairly obvious, common) restriction be implemented on systems which do not use PAM?

I’m quite disappointed with the OpenSSH dev team for this: A multitude of other Allow/Deny mechanisms have supported this kind of behaviour for longer than I’ve been alive. Why the great leap backwards?

Reply

8 Khandakar Ashfaqur Rahman March 19, 2009 at 5:59 am

Good Solution.

Regards,
Rigan

Reply

9 James June 4, 2009 at 8:52 pm

@Thorne

Actually, OpenSSH does support a multitude of Allow/Deny mechanisms, though I believe they are all ANDed together. Thus, obtaining the behavior described in the intro to this page is not possible with OpenSSH alone. Here are the Allow/Deny mechanisms supported by OpenSSH.

AllowGroups
AllowTcpForwarding
AllowUsers
DenyGroups
DenyUsers

Reply

10 Max June 24, 2009 at 11:50 pm

How do you edit the access line to accept a group name with a space in it?:
-:ALL EXCEPT Domain Users :ALL seems to read the groups as Domain and Users. adding “quotes” didn’t work either.

Reply

11 Peter L December 21, 2009 at 11:19 pm

I found that the order of entries in /etc/pam.d/sshd matters. Line “account required pam_access.so” must be prepended, not appended to the end of the file. It must appear before the other “account” lines. Otherwise great guide – thanks dude!

Reply

12 Solaris April 16, 2010 at 9:06 am

You can use
AllowUsers vivek@10.10.10.12 root@10.10.10.12 user2

in /etc/ssh/sshd_config

to allow user2 from anywhere and vivek and root from only that ip

then
$ sudo /etc/init.d/ssh reload

Reply

13 danny December 1, 2011 at 10:51 pm

Thanks for the info! Don’t forget to add :

+ : root : localhost.locadomain cron crond LOCAL

Otherwise, your cronjons will not work.

Reply

14 olivier January 11, 2012 at 10:03 pm

This message is not really friendly for user when the don’t access :
“Connection closed by xxx.xxx.xx.xx”

Is there any way to tune the denied access message ?

Something like : “access denied for user joe from host xxx.xxx.xxx.xxx” for example ?

Reply

15 Olivier January 24, 2012 at 7:55 am

It works for me, but is there any way to tune the denied access message when a user is not allowed to connect ?

Something like : “access denied for user joe from host xxx.xxx.xxx.xxx” for example instead of the brutal “Connection closed by xxx.xxx.xx.xx”

Thanks

Reply

16 LPIC.lt February 20, 2012 at 5:26 pm

Hello, i have translated this topic to Lithuanian, and will post it at 2012-February-25th at 10 (AM) in GMT +0 time (i think) at url: http://lpic.lt/2012/02/25/cyberciti-biz-openssh-root-user-account-restriction-revisited-lietuviskai/ < it will have a link to this post.

If author will say that he do not want, i will not post it. but let me know, by email or reply here.

thanks

Reply

17 Maddie September 12, 2012 at 12:21 am

How do I configure access.conf so that the following rule is applied? :

Allow the user dia to connect from 192.152.100.
Deny the user sim to connect from 192.152.100.
Particularity : both the users dia (uid = 8389753 ) and sim (uid = 500) belong to the group sim (gid : 500)
Yes, the user and group sim have the same name and the same id.

With the follwing syntax,
- : sim : 192.152.100.
the user sim is denied, as well as dia (because dia belongs to the group sim). access.conf considers sim as being both the user and group.

How do I specify that I want to deny the user sim, but not the users who belong to the group sim?

Reply

18 Jason Barnett September 27, 2012 at 6:47 pm

@Maddie

You simply need to specify ‘dia’ first and you will get your desired result. The access.conf uses the first entry that matches the (user, host) combination.

Follow this syntax,
+ : dia : 192.152.100.0/24
- : sim : 192.152.100.0/24

Quote from access.conf man: “When someone logs in, the file access.conf is scanned for the first entry that matches the (user, host) or (user, network/netmask) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused.”

Reply

19 Marios Zindilis April 23, 2013 at 11:26 am

Thank you very much for this article!

Reply

Leave a Comment

Previous post:

Next post: