Date: Wed, 27 Apr 2005 19:20:13 GMT From: Marc Fonvieille <blackend@FreeBSD.org> To: freebsd-doc@FreeBSD.org Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section Message-ID: <200504271920.j3RJKDJl043834@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/80416; it has been noted by GNATS.
From: Marc Fonvieille <blackend@FreeBSD.org>
To: Brad Davis <so14k@so14k.com>
Cc: freebsd-doc@FreeBSD.org, bug-followup@FreeBSD.org
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Wed, 27 Apr 2005 21:15:53 +0200
On Wed, Apr 27, 2005 at 07:00:32PM +0000, Brad Davis wrote:
> The following reply was made to PR docs/80416; it has been noted by GNATS.
>
> From: Brad Davis <so14k@so14k.com>
> To: bug-followup@freebsd.org
> Cc:
> Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
> Date: Wed, 27 Apr 2005 12:58:35 -0600
>
> Fix a typo where my fingers got ahead of themselves. Noticed by remko@
>
>
> --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 01:28:51 2005
> +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 12:56:10 2005
> @@ -4546,6 +4546,39 @@
> </sect2>
>
> <sect2>
> + <title>AllowUsers - Controlling what users are allowed to login
> + and from where</title>
> +
I think you don't need to mention the option name in the title, but you
have to respect "Chigaco style" for titles like:
<title>Controlling Which Users Are Allowed to Login and From
Where</title>
> + <para>It is often a good idea to only allow users to login from a
> + certain host and not allow other users to login at all.
> + AllowUsers is a good way to accomplish this. For example, to
The <literal>AllowUsers<literal> option is a good way to
accomplish this. For example, to
> + only allow the root user to login from <hostid
only allow the <username>root</username> user to login
from <hostid
> + role="ipaddr">192.168.1.32</hostid>, something like this would
> + be appropriate for &man.sshd_config.5;:</para>
be appropriate in the
<filename>/etc/ssh/sshd_config</filename> file:</para>
> +
> + <programlisting>AllowUsers root@192.168.1.32</programlisting>
> +
> + <para>To allow a user, admin, to login from anywhere, use a
> + <quote>*</quote>:</para>
<para>To allow a user, <username>admin</username>, to login
from anywhere, use the following:</para>
> +
> + <programlisting>AllowUsers admin@*</programlisting>
> + <programlisting>AllowUsers admin</programlisting>
yes, @* is useless
> +
> + <para>Multiple users will all be listed on the same line:</para>
> +
> + <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting>
<programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
> +
> + <note>
> + <para>It is important that you list each user that needs to
> + login to this machine, otherwise they will be locked out.</para>
> + </note>
> +
> + <para>After making any changes to <filename>sshd_config</filename>
> + you must restart &man.sshd.8; by running:</para>
> +
> + <programlisting>&prompt.root; killall -HUP sshd</programlisting>
> + </sect2>
> +
> + <sect2>
> <title>Further Reading</title>
> <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>;
> <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
Marc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504271920.j3RJKDJl043834>