set service ssh access-control <allow | deny> <group | user> <name>
Add access-control directive to allow or deny users and groups.
Directives are processed in the following order of precedence: `deny-users`, `allow-users`, `deny-groups` and `allow-groups`.
Yet when I set the following configuration:
ssh {
access-control {
allow {
user vyos
}
deny {
group vyattacfg
}
}
port 22
}
My vyos user login via SSH is denied.
Shouldn’t my login be allowed according to the following order of precedence: deny-users, allow-users, deny-groups and allow-groups? That is, allow-users is evaluated before deny-groups, correct?
I see the following in syslog:
Nov 6 15:43:36 vyos sshd[5515]: User vyos from host not allowed because a group is listed in DenyGroups
Why is the allow-users entry not taking precedence?
The vyattacfg group in my example is a built in group, and it appears that all local users created via the “system login” configuration tree are added to it.
I only want the vyos user to be able to login via ssh, and all other local users denied.
Regardless of how users are added to the group, it does exist and the users are in it. Is the documentation right or wrong, and how is the ssh access-control precedence really evaluated?
The allow rule is sufficient to exclude all users except allowed users. For example:
set system login user tstA authentication plaintext-password Password
set system login user tstB authentication plaintext-password Password
set system login user tstC authentication plaintext-password Password
set service ssh access-control allow user tstA
Result - only user tstA can connect to the router
Groups are not needed in this case
Thank you, this works for my use case. I am still vaguely concerned about the documentation of the ssh access control directives. It is not quite clear how it would or should work in cases where you’ve got multiple directives entered for both allow and deny.