Exclude Users from Match Group in SSHD [SOLVED]


Linux

Author: Omer Cakmak
Reviewer: Deepak Prasad

In today's highly connected world, securing remote access to servers is of utmost importance. One of the most popular ways to establish secure remote connections is through the Secure Shell (SSH) protocol. Administrators can manage and control user access by configuring the SSH daemon (sshd) to allow or restrict specific users or groups. In this article, we will explore the concept of Match Groups in SSHD, which enable fine-grained control over user access. We will specifically focus on how to exclude certain users from an SSH match group, thereby enhancing the granularity of access control in your server environment. This technique is particularly useful when you want to apply specific configurations to a group of users while excluding a few exceptions. By understanding how to leverage the powerful features of sshd configuration, you can effectively customize user access while maintaining a high level of security. So, let's dive into the world of SSH access control and learn how to exclude users from match groups in SSHD.

 

Overview on Matchgroup Directive

The Match Group directive in SSHD configuration allows administrators to apply specific configurations or restrictions to a subset of users or addresses based on specified criteria. This feature provides fine-grained control over SSH access and can help enhance security and manageability in a server environment.

In the sshd_config file, the Match directive is followed by one or more criteria, such as User, Group, Address, or Host. When the specified criteria are met, the configuration options within the Match block are applied. The syntax for a Match directive with a group criterion is as follows:

Match Group group_name[,group_name...]
    ConfigurationOption1 value
    ConfigurationOption2 value
    ...

In this example, group_name represents the name of the group(s) for which the subsequent configuration options should apply. Multiple group names can be specified, separated by commas. The configuration options within the Match block must be indented, and they will only apply to the users who are members of the specified group(s).

Here's an example of a Match Group block in an sshd_config file:

Match Group developers
    PasswordAuthentication yes
    AllowTcpForwarding yes

In this case, the configuration options within the Match block enable password authentication and TCP forwarding for users who are members of the "developers" group. Other users will follow the default settings or any other Match block that applies to them.

 

Excluding Users from Match Group in SSHD

To exclude specific users from a Match Group in SSHD, you can use a combination of the User and Group criteria within the Match directive. By using the exclamation mark "!" before a user or group name, you can negate the match, effectively excluding users from the Match block.

Here's an example of excluding a user from a Match Group:

Match Group group_name User *,!user_to_exclude
    ConfigurationOption1 value
    ConfigurationOption2 value
    ...

In this example, group_name is the name of the group you want the Match block to apply to, and user_to_exclude is the username of the user you want to exclude from the group-specific configuration options.

For example, let's say you want to apply specific SSH configurations to the "developers" group but want to exclude the user "john":

Match Group developers User *,!john
    PasswordAuthentication yes
    AllowTcpForwarding yes

In this case, the configuration options within the Match block will apply to all users in the "developers" group, except for the user "john". John will follow the default settings or any other Match block that applies to him.

 

Example-1: Adding Users to Groups for Group Matching

In this example we will have 2 users and a group. We will make an example of Match Group by adding users to the group.

We add two users:

$ sudo adduser foc
$ sudo adduser golinux

Then we create a group called admins:

$ sudo addgroup admins

We put the golinux user in the admins group:

$ sudo usermod -aG admins golinux

We enter an example Match Group setting in the sshd_config file:

Match Group admins
  Banner /etc/banner.txt

We restart the sshd service for the settings to take effect:

$ sudo systemctl restart sshd

In the last case the golinux user is in the admins group but not foc. Now we ssh with both users:

$ ssh -l foc 192.168.122.36
foc@192.168.122.36's password:
$ ssh -l golinux 192.168.122.36
Welcome this server
Example banner for golinuxcloud
golinux@192.168.122.36's password:

As you can see, there is no banner in the foc user. Because we did not add the foc user to the admins group, the banner settings were not valid for this user. With these settings, you can authorize users on a group basis.

Now let's add the foc user to the admins group:

$ sudo usermod -aG admins foc

When we ssh with foc, the custom banner now greets us:

$ ssh -l foc 192.168.122.36
Welcome this server
Example banner for golinuxcloud
foc@192.168.122.36's password:

 

Example-2: Exclude user who is in Group in Group Matching

As in the example above, in cases where both users are in the admins group, there may be a user who wants to be excluded from the Match Group settings. In this case, the following configuration should be done in sshd_config:

Match Group admins User !foc
  Banner /etc/banner.txt

The service is restarted for the settings to take effect:

$ sudo systemctl restart sshd

Then when users are logged in, the foc user is excluded from the Match Group:

$ ssh -l foc 192.168.122.36
foc@192.168.122.36's password:

Since the golinux user is in the admins group, the settings apply:

$ ssh -l golinux 192.168.122.36 
Welcome this server 
Example banner for golinuxcloud 
golinux@192.168.122.36's password:

To exclude multiple users in the same group, usernames are written one after the other, with a comma(,) between them:

Match Group admins User !foc,!golinux
  Banner /etc/banner.txt

Now although golinux is in the admin group it is disabled like the foc user:

$ ssh -l golinux 192.168.122.36
golinux@192.168.122.36's password:

We used the banner keyword in the examples. Keywords available with Match Group are:

  • AllowTcpForwarding
  • AuthorizedKeysFile
  • Banner
  • ChrootDirectory
  • ForceCommand
  • GatewayPorts
  • GSSAPIAuthentication
  • HostbasedAuthentication
  • HostbasedUsesNameFromPacketOnly
  • KbdInteractiveAuthentication
  • MaxAuthTries
  • PasswordAuthentication
  • PermitEmptyPasswords
  • PermitRootLogin
  • PubkeyAuthentication
  • RhostsRSAAuthentication
  • RSAAuthentication
  • X11DisplayOffset
  • X11Forwarding
  • X11UseLocalhost.

 

Summary

In this article, we have shown examples of excluding user in group based authorization in sshd_config and Match Group. For more details, you can get help from the sshd_config manual page.

sshd_config is a critical file. You should be careful when working with this file. We recommend making a backup before making changes. In any wrong configuration, you may not have access to the system.

After trying these steps on your test server, you should implement the live system, but the service must be restarted for what you're doing to take effect. When the service is restarted, it gives a warning if there is an incorrect or missing configuration, please review the configuration by taking the warnings into account.

 

References

superuser.com - Exclude specific group/users from ForceCommand in OpenSSH ssd_config
unix.stackexchange.com - How to exclude from a "Match Group" in SSHD?

 

Omer Cakmak

Omer Cakmak

He is highly skilled at managing Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat servers. Proficient in bash scripting, Ansible, and AWX central server management, he handles server operations on OpenStack, KVM, Proxmox, and VMware. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment