When trying to log in with SSH to a Server Agent where access is expected to be granted you may see an error message about DenyGroups or AllowGroups, even if BoKS is activated.
User foo from host.domain not allowed because a group is listed in DenyGroups
Resolution / Workaround
When BoKS loses the ability to contact the Master/Replicas it will enter offline mode. Normally you would only be able to log in to an offline Server Agent as root on the console, but it is possible to set BoKS up to also allow SSH access, for example, by using the the ENV file parameters OFFLINE_SUPPORT=on, OFFLINE_SERVICES=ssh and/or OFFLINE_SERVICES_ROOT=ssh. For details of these parameters, please see the BoKS man page ENV(4).
In offline mode, the AllowGroups and DenyGroups options in $BOKS_etc/ssh/sshd_config..active will be enforced.
When BoKS is active and online, a user denied access by these options can still authenticate if allowed by BoKS. When BoKS is active and offline, it is possible to add more granular user authorization for SSH login by using the options AllowGroups and/or DenyGroups in the file $BOKS_etc/ssh/sshd_config..active. These options are ignored when a BoKS Server Agent for Unix/Linux is online, but enforced when the Server Agent is offline.
Using the options AllowGroups and/or DenyGroups in combination with BoKS secondary Unix group management allows remote management of users authorized for offline SSH login (for details please see the Administration Guide for your BoKS version).
When BoKS is deactivated, these options function as described in the sshd_config man page.
Still have questions? We can help. Submit a case to Technical Support.