How to get the list of all users who can access a server via ssh?
My answer draws from answers to this stackoverflow question.
Listing all "users"
I was expecting there would be a way I could just say, show me all the users that can ssh onto my server.
What I didn't realise is that there isn't a distinction between people-users and system-"users", so while you can list all users with this command, it's probably a lot longer than you were expecting/hoping-for:
cat /etc/passwd
Showing all users with a valid shell
If the users shell is set to /etc/false
then they cannot log on, so this trims down the list of possible ssh users :
cat /etc/passwd | grep -v /bin/false
But that is still a pretty big list.
Users who have actually have access
If a user doesn't have a valid password that could be an indication that they can't log on.
The /etc/shadow
file holds the encrypted passwords, a "!" or a "*" in the 2nd column of this file means no password is set. We can filter those out for a new (probably shorter) list of users that have a valid password :
cat /etc/shadow | grep '^[^:]*:[^\*!]'
Details about the regex:
^
- The pattern have to be at the start of the line[^:]*
- Match any character that is not:
between 0 and unlimited time:
- Match the character:
literally[^\*!]
- Match any character that is not*
,!
once.
Note that the regex is wrap with single quotes, this is important because many character special to regex are special to bash as well (See part 2 of this answer)
The only other accounts that are not covered by that would be where they have an ssh key on their user account, so you need to also look at the users that have a home folder :
ls -l /home
Restricting access
OK - so now I have a somewhat limited list - and I want to remove access for a couple of accounts.
@Yaron's answer describes this in more detail (as does this), but briefly;
the /etc/ssh/sshd_config
file says which accounts can ssh, and if you set AllowUsers
in there then the other users will be restricted - so you can edit that file to be explicit about who you want to allow to log on:
vi /etc/ssh/sshd_config
And add a line saying
AllowUsers user1 user2
Finally restart the ssh service
service ssh restart
(depending on your system - see this for service restart on other systems)
By default all users of a specific machine can login into this machine using ssh.
You can configure sshd
to allow access to only part of the machine users.
Ubuntu ssh man page Specify that you can allow/deny specific users/groups in sshd_config — OpenSSH SSH daemon configuration file
- /etc/ssh/sshd_config
- AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces.
- If specified, login is allowed only for user names that match one of the patterns.
- Only user names are valid; a numerical user ID is not recognized.
- By default, login is allowed for all users.
- If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
- The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups
The list of all users in the server machine can be found by running the below command on the server machine:
cat /etc/passwd
According to the updated question, the /etc/passwd
doesn't hold several usernames. This might be the result of the server being part of Network Information Service, LDAP or SAMBA.
To review all users & groups known by your server, from whatever sources they come, you would preferably use the getent
command :
getent passwd
Discussion summary:
It seems that you have LDAP on the server, and it was defined to disable access the listing of LDAP users.
Otherwise getent passwd
would show you the passwd
file