-3

I have a system to which some users need to connect trough regular SSH. I will name them the “Privileged Users”. In the same time this system should provide an SFTP server to “Anonymous” user (without any password, or any authentication method).

For the moment, this is my sshd_config:

########################################################################
# Common conofigurations for both Privileged Users and Anonymous
########################################################################
PermitRootLogin no
StrictModes yes
PrintMotd yes
AcceptEnv LANG LC_*
banner /etc/banner
AllowUsers fauve libidiloup anonymous

########################################################################
# Desired connfigurations for Privileged Users (who are not Anonymous)
########################################################################

Match User fauve, libidiloup
    Protocol 2
    IgnoreRhosts yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    Port 17129
    PasswordAuthentication no
    PermitEmptyPasswords no
    UsePAM yes
    UsePrivilegeSeparation yes
    ChallengeResponseAuthentication no
    PrintLastLog no
    Subsystem sftp internal-sftp
    KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    X11Forwarding yes


########################################################################
# Configuration for Anonymous
########################################################################

Match User anonymous
    PasswordAuthentication yes
    PermitEmptyPasswords yes
    ChrootDirectory /mnt/bibliotheque
    AllowTcpForwarding no
    ForceCommand internal-sftp
    X11Forwarding no

I am just worried about the security. Are the configurations of the Anonymous’s block anough?

Especially for the Protocol, RhostsRSAAuthentication, HostbasedAuthentication, UsePrivilegeSeparation, UsePAM options.

And is this configuration absolutely split the guest Anonymous from Privileged Users capabilities?

fauve
  • 1,140
  • 2
  • 13
  • 28

1 Answers1

0

Well, I made some test and come back with the following feedbacks.

First, this is the final functional sshd_config I get:

########################################################################
# Common conofigurations for both Privileged Users and Anonymous
########################################################################
Protocol 2
PermitRootLogin no
StrictModes yes
PrintMotd yes
AcceptEnv LANG LC_*
banner /etc/banner
AllowUsers fauve anonymous
#AllowGroups sshprivileged

# The following directives could NOT be set on a Match block
UsePAM yes
ChallengeResponseAuthentication no
UsePrivilegeSeparation yes
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
PrintLastLog no
Subsystem sftp internal-sftp
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256

#########################################################################
## Desired connfigurations for Privileged Users (who are not Anonymous)
#########################################################################

Match User fauve
    IgnoreRhosts yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    PasswordAuthentication no
    PermitEmptyPasswords no
    X11Forwarding yes

#########################################################################
## Configuration for Anonymous
#########################################################################

Match User anonymous
    PasswordAuthentication yes
    PermitEmptyPasswords yes
    ChrootDirectory /mnt/bibliotheque
    AllowTcpForwarding no
    ForceCommand internal-sftp
    X11Forwarding no

Their is mainly two things witch can not be possible in my first sshd_config.

  1. The block under the “The following directives could NOT be set on a Match block” comment contain directives witch can not be in a Match block.
  2. Their is a conflict between AllowGroups and AllowUsers. The first directive overwrite the second one.
fauve
  • 1,140
  • 2
  • 13
  • 28
  • 1
    The `AllowGroups` and `AllowUsers` parameters have behavior that is not intuitive. When one of the parameters is present, users matching the parameter's list are allowed **and all other users are denied**. I haven't tested a config with both parameters present, but I would expect that only users who match **both** lists would be allowed. Users matching only one or the other list would be denied. – Sotto Voce Jun 07 '23 at 17:02
  • @SottoVoce yes, the combination between them seams to be not a _xor_ or an _or_ but and _and_. – fauve Jun 07 '23 at 17:08