-
Title
vastool user checklogin works, but user can't authenticate via ssh. Will users that are unix enabled work if the AllowGroups or AllowUsers setting in sshd_config ? DenyUsers or DenyGroups setting in sshd_config file. -
Description
The /opt/quest/bin/vastool user checklogin works, but user can't authenticate.
Will users that are unix enabled work if the AllowGroups or AllowUsers setting in sshd_config ?
Is DenyUsers or DenyGroups setting in sshd_config enforced?
-
Cause
Configuration issue.
-
Resolution
The allowgroups and allowuses setting in sshd_config can be used to define what users or groups are valid for using ssh to access the machine. If configured properly this should work fine. The group or users being defined however needs to be unix enabled for this to work properly.
Since cached users or groups are visible to nss calls the fact that these users and groups are in AD is invisible to the system locally. Also ensure the users.allow file or service.allow file if being used are configured properly.
The DenyUsers and DenyGroups setting in sshd_config file is enforced when set. Use DenyUsers to block user login. You can use wild cards as well. For the DenyGroups setting, a list of group names, if user is part of primary of supplementary group login access is denied. You can use wildcards. Please note that you cannot use a numeric group or username ID. If these directives are not used, default is to allow everyone.