Date: Wed, 27 Apr 2005 12:43:44 -0600 (MDT) From: Brad Davis <so14k@so14k.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: docs/80416: Add information on how to use AllowUsers to the OpenSSH section Message-ID: <20050427184344.75DCAB86E@mccaffrey.house.so14k.com> Resent-Message-ID: <200504271850.j3RIoLqb038851@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 80416 >Category: docs >Synopsis: Add information on how to use AllowUsers to the OpenSSH section >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Apr 27 18:50:20 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Brad Davis >Release: FreeBSD 5.4-STABLE i386 >Organization: >Environment: System: FreeBSD mccaffrey.house.so14k.com 5.4-STABLE FreeBSD 5.4-STABLE #0: Wed Apr 20 22:22:19 MDT 2005 root@mccaffrey.house.so14k.com:/usr/obj/usr/src/sys/SMP i386 >Description: Add information on how to use AllowUsers to the OpenSSH section. >How-To-Repeat: >Fix: --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 01:28:51 2005 +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 05:55:23 2005 @@ -1,4 +1,4 @@ -<!-- +t!-- The FreeBSD Documentation Project $FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.269 2005/04/26 13:43:06 keramida Exp $ @@ -4543,6 +4543,39 @@ 8000, successfully evading the firewall.</para> </sect4> </sect3> + </sect2> + + <sect2> + <title>AllowUsers - Controlling what users are allowed to login + and from where</title> + + <para>It is often a good idea to only allow users to login from a + certain host and not allow other users to login at all. + AllowUsers is a good way to accomplish this. For example, to + only allow the root user to login from <hostid + role="ipaddr">192.168.1.32</hostid>, something like this would + be appropriate for &man.sshd_config.5;:</para> + + <programlisting>AllowUsers root@192.168.1.32</programlisting> + + <para>To allow a user, admin, to login from anywhere, use a + <quote>*</quote>:</para> + + <programlisting>AllowUsers admin@*</programlisting> + + <para>Multiple users will all be listed on the same line:</para> + + <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting> + + <note> + <para>It is important that you list each user that needs to + login to this machine, otherwise they will be locked out.</para> + </note> + + <para>After making any changes to <filename>sshd_config</filename> + you must restart &man.sshd.8; by running:</para> + + <programlisting>&prompt.root; killall -HUP sshd</programlisting> </sect2> <sect2> >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050427184344.75DCAB86E>