Review the best practices in this section when working with Linux Agent GPOs in AD Bridge.
SSH DenyUsers for Active Directory user accounts should use ‘?’ in place of ‘@’. The ‘?’ in sshd is seen as a 1 character to 1 character wildcard. In some Linux platform’s the ‘@’ is used only as a Host identifier. Here is an example of the recommended DenyUser SSH Configuration File rule:
DenyUser user?domain.local
For more information about SSH and the sshd_conf, see https://en.wikibooks.org/wiki/OpenSSH.
Due to the native behavior of working with configuration files in Linux platforms, you should remove the GPO from applicable Linux agents when removing a rule that you previously configured in the GPO. After removing the GPO, you can assign a new GPO if there are additional SSH settings that you require.
For example. If you have a DenyUsers SSH rule applied to one or more Linux agents using a Linux Agent GPO and you no longer require this exclusion, you will need to remove the GPO from applicable agents to clear the setting in the SSH configuration file. You can then apply a new GPO that does not have this rule configured.
When you add the AllowUsers rule in SSH Configuration File settings and apply it to one or more Linux agents, you should be aware that those users will be the only Active Directory users that will be able to login using SSH where the Linux agents have the GPO applied.