"AllowUsers username" to /etc/ssh/sshd_config

[tonymontana]

Hi

I have question about install DirectAdmin and this point from documentation:

You *must* add "AllowUsers username" to /etc/ssh/sshd_config before you log out from root or you'll lose root on the server forever, and you'll have to format.

If i understand well - I have to add "AllowUsers admin" to the end of /etc/ssh/sshd_config file?

Thank you for all replies.

 

[scriptkitty]

This behavior was recently changed. See https://directadmin.com/features.php?id=2760

 

[LawsHosting]

By this, I always thought you needed to add root in that file if you log into ssh with a non-root user (eg. debian) when root is disabled

 

[Richard G]

@Peter Laws You do need to have root in there as far as I understand:

TODO: The setup.sh will also be changed to only add AllowUsers root,

The describtion about how it works is rather unclear. Does the new bevhiour mean the AllowerUser is not necessary anymore to give users or resellers SSH access, is it done another way? Or..... very unclear to me.

 

[scriptkitty]

@Peter Laws You do need to have root in there as far as I understand:


The describtion about how it works is rather unclear. Does the new bevhiour mean the AllowerUser is not necessary anymore to give users or resellers SSH access, is it done another way? Or..... very unclear to me.

TODO: The setup.sh will also be changed to only add AllowUsers root, AllowUsers admin if there are already AllowUsers entries in this file.

So, if any AllowUsers entries exist, then root and admin will be allowed. If no AllowUsers entries exist, then none will be added.

If you have no AllowUsers entries in your SSHd config file, then all users are permitted to attempt to login via SSH.

If you have a single entry, then all users except for those listed in that entry are denied access.

 

[tonymontana]

Thank you for all replies!
Before I installed without this and have to format and install all again.

Have a nice day!

 

[LawsHosting]

If you have no AllowUsers entries in your SSHd config file, then all users are permitted to attempt to login via SSH.

But root needs to be there if you do not use root to login to SSH, going by the guide, else the above will happen.

So, when you give SSH access to users, I assume DA adds the AllowUsers entry for the user?

 

[floyd]

I think it all depends on which OS you are using. I have never added AllowUsers for root.

 

[karolis]

But root needs to be there if you do not use root to login to SSH, going by the guide, else the above will happen.

sshd_config has PermitRootLogin option. if set to "no" it shouldn't allow root login. the default is "prohibit-password" which only allows root login with ssh key.

So, when you give SSH access to users, I assume DA adds the AllowUsers entry for the user?

DA will only add AllowUsers if there is already AllowUsers in sshd config. Else it just changes login shell for user.

 

[floyd]

sshd_config has PermitRootLogin option. if set to "no" it shouldn't allow root login. the default is "prohibit-password" which only allows root login with ssh key.

Again depends on the OS. CentOS does not have PermitRootLogin set at all, its commented, and it does allow root login.

 

[karolis]

You are right. According to sshd_config manual, PermitRootLogin default is "yes" on CentOS7. On CentOS8 the default for PermitRootLogin is changed but sshd_config in the package has uncommented "PermitRootLogin yes" line.

 

[Richard G]

Again depends on the OS. CentOS does not have PermitRootLogin set at all, its commented, and it does allow root login.

Correct, because the default is yes, so it can be left commented.