How to prevent domain user's from being able to SSH to nethserver

Is there a way in nethserver to set a setting that would prevent my domain user’s from being able to attempt to ssh into the nethserver?


Check the Shell Policy and SSH settings.

By default, SSH and SFTP access is granted to the following groups of administrators:

  • root
  • wheel

When an account provider is configured, the access is granted to domain admins , too.

It is possible to grant access to normal users and groups with the Allow SSH/SFTP access selector.

With that in place domain users won’t we able to login through SSH.
If ssh port is reachable anyone can attempt to login (additional measures can be applied)

Hi Marc,

I did not make my issue clear, sorry about that.

I am noticing that I am able to ssh and log into the GUI as root and I get prompted for 2FA.

When we log in as a domain admin, I do not get prompted for 2FA.

Is it possible to just deny them (domain admin’s) in general and reserve ssh and web console login to only the root user on the linux vm itself and nothing else?

Thank you

Yes, on the SSH page you can remove the default SSH access permissions assigned to Domain Admin’s Group.

Hi marc,

I am not seeing this setting?

Cannot check it right now but if I recall correctly:
System > Settings > Override Shell of Users (Activate it)

Then System > SSH…

It is there but cannot be changed.

With Override Shell of Users disabled, you can enable/disable user’s shell individually:

With shell enabled SSH is granted. With shell disabled, SSH connects but hangs at creating user dir and the connection is closed.

Thank you. Once last Q. for now. Do you know if it is possible to enable 2FA across the board for nethserver or will each admin have to enable it themselves?

each admin will have to enable it for themselves, as far as I know.

It should be possible but maybe requires some custom template to change sshd_config file, specifically at least to change the values for AllowGroups and Match Group

1 Like