Using OpenSSH
, I have enabled ssh-login to my Ubuntu 18.04 machine, call it Remote
and my user account on Remote
is called Remote-User
. I have also made sure that login is only possible by means of public-key authentication. Here comes the actual description of the problem.
I have two local machines, call them Local-A
and Local-B
, and each of them has one user, call them User-A
and User-B
, respectively. I would like to restrict access to Remote-User@Remote
to only User-A
and User-B
and disallow other users, irrespective of whether their public key has been added to the .ssh/authorized_keys
file of Remote-User@Remote
. I tried doing so by adding the line
AllowUsers User-A User-B
to sshd_config
but I noticed that User-B
had ssh access to Remote-User@Remote
even if I simply had
AllowUsers User-A
This makes me think that any user whose public-key has been added to Remote-User@Remote
's .ssh/authorized_keys
file will have access, irrespective of any restrictions I try to impose using AllowUsers
.
I was wondering if anybody has any suggestions on how to tackle this. Bear in mind that I not well-versed in this domain so I might have omitted important information. If so, please let me know and I am happy to update this question.
The
AllowUsers
option in the/etc/ssh/sshd_config
file is exactly what you need to accomplish user access restriction viassh
.See the manpage for sshd_config:
In order for the changes in
sshd_config
to take effect, you need to restart thesshd
service with:If that still does not work, check the
/etc/ssh/sshd_config.d
folder for any additional configuration files, that overrule yourAllowUsers
statement.When you add multiple public keys to
.ssh/authorized_keys
file, any one having any private key forremote-user
can login withremote-user
.Best and secure way to allow only particular user is to have separate account for individual user and its individual public key should be in
.ssh/authorized_keys
file. Here Common accountRemote-User
should not be used. You can restrict users to allow via only ssh key in openssh. Thus separate user will have separate account only it will be able to login in its account.The SSH key identifies the user uniquely. It can be re-used, but anyone that has the private key has full access to that identity.
Trying to add additional restrictions will be problematic. The SSH key gives guarantee that the owner of the key has access to the key (i.e. as long as the owner maintains key privacy, the use of their key guarantees their identity).
Any other form of identifying the user, such as the source machine/IP-address for the connection, is not going to have the same level of guarantee. In other words, those forms have a very real potential to be spoofed/tricked.
So here's the recommended solution:
ssh-keygen
for each of the users to give them a new, unique SSH keyauthorized_keys
fileHope this helps!