restricting root ssh access works perfect in centos 6 but using the same method fails on centos 7. what are we doing wrong? an interesting point is that in our centos 6s we have stated that only our defined user is permitted in sshd_config:
AllowUsers OurUser
and others are not permitted.
but in centos 7s we have to permit root too. otherwise neither root nor our user is allowed to login. i have checked the sudoers file many times and it seems ok.
OurUser ALL=(ALL) NOPASSWD: ALL
any clues?
Best Answer
I assume that your user has multiple matches, and the last one is the one which counts in sudoers file. Without having the full file available it is hard to verify if this is the case, but it is definitely worth checking.
For further details see: https://www.sudo.ws/man/1.8.13/sudoers.man.html
SUDOERS FILE FORMAT The sudoers file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match). The sudoers grammar will be described below in Extended Backus-Naur Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly simple, and the definitions below are annotated