$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

List SSH Allow and Deny Rules

You need to find SSH allow-list and deny-list directives across the main config and include files.

Command

grep -RhnE '^(AllowUsers|AllowGroups|DenyUsers|DenyGroups|Match )' etc/ssh

Before you run this

Risk: safe. Do not remove allow or deny rules from this output alone; confirm group membership, Match context, and operational ownership first.

Expected output

Line-numbered SSH access directives from sshd_config and included files.

System impact

Nothing changes. The command searches fixture-local SSH config files and prints matching access directives with file and line numbers.

Recovery / rollback: no state is changed.

When to use it

Use during access reviews, server handoffs, or when a user can authenticate but still cannot open an SSH session.

When not to use it

Do not remove allow or deny rules from this output alone; confirm group membership, Match context, and operational ownership first.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ find etc/ssh -type f -print | sort

etc/ssh/sshd_config
etc/ssh/sshd_config.d/access.conf

$ grep -RhnE '^(AllowUsers|AllowGroups|DenyUsers|DenyGroups|Match )' etc/ssh

1:DenyUsers test oldadmin
2:AllowGroups ssh-login deployers
6:AllowUsers alice deploy
8:Match Address 198.51.100.0/24
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. find etc/ssh -type f -print | sort
  2. grep -RhnE '^(AllowUsers|AllowGroups|DenyUsers|DenyGroups|Match )' etc/ssh

next steps

Related commands

Cybersecurity Triage Risk: safe

Show SSH Auth Policy Order

The order of Include, Match, and authentication directives changes how SSH policy reads.

grep -nE '^(Include|Match |PubkeyAuthentication|PasswordAuthentication|AuthenticationMethods|[[:space:]]+(PasswordAuthentication|AuthenticationMethods))' etc/ssh/sshd_config
Cybersecurity Triage Risk: safe

Check Key SSH Authentication Settings

SSH policy should be visible before you change it.

grep -nE '^(PasswordAuthentication|PermitRootLogin|PubkeyAuthentication|AllowUsers)' etc/ssh/sshd_config
Cybersecurity Triage Risk: safe

Find SSH Password Auth Exceptions

A global password-auth setting can be changed later by a Match block.

awk '/^Match /{ctx=$0} /^PasswordAuthentication|^AuthenticationMethods|^[[:space:]]+PasswordAuthentication|^[[:space:]]+AuthenticationMethods/ {print (ctx ? ctx : "global") ": " $0}' etc/ssh/sshd_config
Cybersecurity Triage Risk: safe

Extract SSH AllowUsers Accounts

AllowUsers turns SSH access into an explicit account list.

awk '/^AllowUsers/ {for (i = 2; i <= NF; i++) print $i}' etc/ssh/sshd_config
Cybersecurity Triage Risk: safe

Review sudo Grants

Privilege paths should be visible before you remove or approve access.

awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:104-filesystems-permissions-fhs
  • lpic1:107-admin-tasks
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • lfcs:users-groups
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.