Support for AllowGroups instead of AllowUsers in the SSH daemon?

[vivvvi]

change request:

    /etc/ssh/sshd_config:  Use AllowGroups instead of AllowUsers in sshd_config.

slickstack by default uses AllowUsers whereas in a multi user / groups linux environment AllowGroups is essential, and in my opinion more desirable for everyone.

my configuration:

In our environment we have a group called ssh-users and users that are allowed to login added to the group.

so.. in /etc/ssh/sshd_config

the line for AllowUsers I replace with

AllowGroups ssh-users

[jessuppi]

Thanks for sharing @vivvvi

One thing I hadn't considered when you mentioned this on Discord is IP restrictions. To simplify IP restrictions, we use the SSH daemon for this (instead of e.g. hosts file or UFW firewall rules):

AllowUsers @SUDO_USER@SSH_IPV4 @SFTP_USER

If we wanted to support IP restrictions per sudo group, I think we need to use a Match block:

Ref: https://unix.stackexchange.com/questions/334566/using-allowgroups-and-restrict-by-ip-address

I don't really like Match blocks as I think it complicates the SSH daemon, esp. since we are already using a chroot block for the SFTP user on SlickStack. Will probably need to consider all of this and see if it's possible.

Subsystem sftp internal-sftp
Match User @SFTP_USER
ChrootDirectory /var/www
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

Ref: https://github.com/littlebizzy/slickstack/blob/master/modules/ubuntu/22.04/sshd-config.txt

Anyway, I'm guessing your agency does not even use SFTP access at all, which is why you do that approach? Or, do you use another group for allowing SFTP access only?

[jessuppi]

By the way, we might also need to revise groups in sudoers also...

By default Ubuntu has @sudo and @admin groups... just mentioning this here to remember later.

Ref: https://github.com/littlebizzy/slickstack/blob/master/modules/ubuntu/sudoers.txt