Yunohost diagnostic error no AllowGroups AllowUsers directive in ssh configuration file

My YunoHost server

Debian 11,
CPU1: 13th Gen Intel(R) Core™ i5-13500 (Cores 20)
Memory: 64125 MB
YunoHost version: 11.1.20
I have access to my server : Through SSH…
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

The SSH configuration appears to have been manually modified, and is insecure because it contains no ‘AllowGroups’ or ‘AllowUsers’ directive to limit access to authorized users.

But to my understanding, let say my existing SSH login user name is cceuser.
This cceuser is a user under the admins group in Yunohost.
cceuser is not found in /etc/shadow, where user account and password are stored.

It seems that the ssh login prompt will only log in users that are registered under Yunohost admins group.

So what is the need to have AllowGroups, AllowUsers directive in /etc/ssh/sshd_config? since the ssh login process no longer use the directive to decide which user can login to the server.

YunoHost users are LDAP users, not regular “UNIX” users, so yes, they don’t appear in /etc/shadow

I’m not sure what you mean exactly by “will only log in” … also what makes you arrive to this conclusion

The issue is precisely that without those directives, any user can log in through SSH …

Hi Aleks,
Perhaps I have understood wrongly the concept.
Because of the installing Yunohost,
My understanding is I can no longer log in using"root".

Only users registered under Yunohost admins group can login via SSH.

Perhaps this understanding is incorrect.
But when I try to login using root, I couldn’t get the password correct. So I thought I no longer be able to login using root

Am I correct to say that all users that can log in previously prior to yunohost installation,
Can still log in as usual?

Because it seems that now I can only login using username that is registered under yunohost admins group.

Hmyeah, root is a special case, it’s common practice to disable root login.

Nevertheless, apart from that exception, without any AllowUser or AllowGroup directive, any user on the system can login through SSH, which is “not cool”, because you can quickly end up with some stupid situation such as having defined a user “test” with password “test”, leading to attacker being able to login, without realizing that any user can SSH into the system …

Thank you Aleks for the clarification, because prior to installing Yunohost, my server only have “root” as login user, it is a new server.

That is why I thought all users and root prior to Yunohost installation no longer have access to SSH, hence i asked why is the need for the AllowGroups , AllowUsers directives.

Ok I will try to create some users other than those under Yunohost admins group, to see if these users can log invia SSH,

then will put in directives to bar them from loggin through SSH.

Thank you again

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.