How to get the list of all users who can access a server via ssh?
How can I get the list of all the users who can ssh to a server via ssh [email protected]
?
Please note that I'm aware of this question and that is not doing what I want!
If it helps the server has so many users in so many different groups and under the home directory there are some group directories and many user directories in those group directories.
Edited:
Please note that the result I get from /etc/passwd
is not what I want and is as follows:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
shelladmin:x:1000:1000:shelladmin,,,:/home/shelladmin:/bin/bash
messagebus:x:104:106::/var/run/dbus:/bin/false
festival:x:105:29::/home/festival:/bin/false
ntp:x:106:108::/home/ntp:/bin/false
This list doesn't even include my own username! let alone the other 1000 users.
Edited 2:
So I chatted with Yaron a little and Here are some more info about the system:
-bash-4.2$ ls -lsa /etc/init.d/nis
ls: cannot access /etc/init.d/nis: No such file or directory
-bash-4.2$ ls -lsa /var/yp
ls: cannot access /var/yp: No such file or directory
if it helps, this is the putput of ls -lsa /var
-bash-4.2$ ls -lsa /var
total 48
4 drwxr-xr-x 12 root root 4096 Oct 25 2016 .
4 drwxr-xr-x 22 root root 4096 Oct 25 2016 ..
4 drwxr-xr-x 2 root root 4096 Oct 26 2016 backups
4 drwxr-xr-x 10 root root 4096 Oct 25 2016 cache
4 drwxr-xr-x 34 root root 4096 Oct 25 2016 lib
4 drwxrwsr-x 2 root staff 4096 May 7 2012 local
0 lrwxrwxrwx 1 root root 9 Oct 25 2016 lock -> /run/lock
4 drwxr-xr-x 9 root root 4096 Dec 10 06:25 log
4 drwxrwsr-x 2 root mail 4096 Jul 30 00:51 mail
4 drwxr-xr-x 2 root root 4096 Nov 21 2012 opt
0 lrwxrwxrwx 1 root root 4 Oct 25 2016 run -> /run
4 drwxr-xr-x 5 root root 4096 Oct 25 2016 spool
4 drwxrwxrwt 12 root root 4096 Dec 10 08:18 tmp
4 drwxr-xr-x 2 root root 4096 Feb 16 2013 www
-bash-4.2$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
shelladmin:x:1000:1000:shelladmin,,,:/home/shelladmin:/bin/bash
messagebus:x:104:106::/var/run/dbus:/bin/false
festival:x:105:29::/home/festival:/bin/false
ntp:x:106:108::/home/ntp:/bin/false
-bash-4.2$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-bash-4.2$ cd /etc/sssd/
-bash: cd: /etc/sssd/: No such file or directory
My answer draws from answers to this stackoverflow question.
Listing all "users"
I was expecting there would be a way I could just say, show me all the users that can ssh onto my server.
What I didn't realise is that there isn't a distinction between people-users and system-"users", so while you can list all users with this command, it's probably a lot longer than you were expecting/hoping-for:
cat /etc/passwd
Showing all users with a valid shell
If the users shell is set to /etc/false
then they cannot log on, so this trims down the list of possible ssh users :
cat /etc/passwd | grep -v /bin/false
But that is still a pretty big list.
Users who have actually have access
If a user doesn't have a valid password that could be an indication that they can't log on.
The /etc/shadow
file holds the encrypted passwords, a "!" or a "*" in the 2nd column of this file means no password is set. We can filter those out for a new (probably shorter) list of users that have a valid password :
cat /etc/shadow | grep '^[^:]*:[^\*!]'
Details about the regex:
-
^
- The pattern have to be at the start of the line -
[^:]*
- Match any character that is not:
between 0 and unlimited time -
:
- Match the character:
literally -
[^\*!]
- Match any character that is not*
,!
once.
Note that the regex is wrap with single quotes, this is important because many character special to regex are special to bash as well (See part 2 of this answer)
The only other accounts that are not covered by that would be where they have an ssh key on their user account, so you need to also look at the users that have a home folder :
ls -l /home
Restricting access
OK - so now I have a somewhat limited list - and I want to remove access for a couple of accounts.
@Yaron's answer describes this in more detail (as does this), but briefly;
the /etc/ssh/sshd_config
file says which accounts can ssh, and if you set AllowUsers
in there then the other users will be restricted - so you can edit that file to be explicit about who you want to allow to log on:
vi /etc/ssh/sshd_config
And add a line saying
AllowUsers user1 user2
Finally restart the ssh service
service ssh restart
(depending on your system - see this for service restart on other systems)
By default all users of a specific machine can login into this machine using ssh.
You can configure sshd
to allow access to only part of the machine users.
Ubuntu ssh man page Specify that you can allow/deny specific users/groups in sshd_config — OpenSSH SSH daemon configuration file
- /etc/ssh/sshd_config
- AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces.
- If specified, login is allowed only for user names that match one of the patterns.
- Only user names are valid; a numerical user ID is not recognized.
- By default, login is allowed for all users.
- If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
- The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups
The list of all users in the server machine can be found by running the below command on the server machine:
cat /etc/passwd
According to the updated question, the /etc/passwd
doesn't hold several usernames. This might be the result of the server being part of Network Information Service, LDAP or SAMBA.
To review all users & groups known by your server, from whatever sources they come, you would preferably use the getent
command :
getent passwd
Discussion summary:
It seems that you have LDAP on the server, and it was defined to disable access the listing of LDAP users.
Otherwise getent passwd
would show you the passwd
file