docs/80416: Add information on how to use AllowUsers to the OpenSSH section

Marc Fonvieille blackend at FreeBSD.org
Wed Apr 27 19:20:14 UTC 2005


The following reply was made to PR docs/80416; it has been noted by GNATS.

From: Marc Fonvieille <blackend at FreeBSD.org>
To: Brad Davis <so14k at so14k.com>
Cc: freebsd-doc at FreeBSD.org, bug-followup at FreeBSD.org
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Wed, 27 Apr 2005 21:15:53 +0200

 On Wed, Apr 27, 2005 at 07:00:32PM +0000, Brad Davis wrote:
 > The following reply was made to PR docs/80416; it has been noted by GNATS.
 > 
 > From: Brad Davis <so14k at so14k.com>
 > To: bug-followup at freebsd.org
 > Cc:  
 > Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
 > Date: Wed, 27 Apr 2005 12:58:35 -0600
 > 
 >  Fix a typo where my fingers got ahead of themselves. Noticed by remko@
 >  
 >  
 >  --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 01:28:51 2005
 >  +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 12:56:10 2005
 >  @@ -4546,6 +4546,39 @@
 >       </sect2>
 >   
 >       <sect2>
 >  +      <title>AllowUsers - Controlling what users are allowed to login
 >  +        and from where</title>
 >  +
 
 I think you don't need to mention the option name in the title, but you
 have to respect "Chigaco style" for titles like:
 
 	  <title>Controlling Which Users Are Allowed to Login and From
 	    Where</title>
 
 >  +      <para>It is often a good idea to only allow users to login from a
 >  +        certain host and not allow other users to login at all.
 >  +        AllowUsers is a good way to accomplish this. For example, to
 
             The <literal>AllowUsers<literal> option is a good way to
 	    accomplish this.  For example, to
 
 >  +        only allow the root user to login from <hostid
 
 	    only allow the <username>root</username> user to login
 	    from <hostid
 
 >  +        role="ipaddr">192.168.1.32</hostid>, something like this would
 >  +        be appropriate for &man.sshd_config.5;:</para>
 
 	    be appropriate in the
 	    <filename>/etc/ssh/sshd_config</filename> file:</para>
 
 >  +
 >  +      <programlisting>AllowUsers root at 192.168.1.32</programlisting>
 >  +
 >  +      <para>To allow a user, admin, to login from anywhere, use a
 >  +        <quote>*</quote>:</para>
 
 	  <para>To allow a user, <username>admin</username>, to login
 	    from anywhere, use the following:</para>
 
 >  +
 >  +      <programlisting>AllowUsers admin@*</programlisting>
 
 >  +      <programlisting>AllowUsers admin</programlisting>
 
 		yes, @* is useless
 
 >  +
 >  +      <para>Multiple users will all be listed on the same line:</para>
 >  +
 >  +      <programlisting>AllowUsers root at 192.168.1.32 admin@*</programlisting>
 
 	  <programlisting>AllowUsers root at 192.168.1.32 admin</programlisting>
 >  +
 >  +      <note>
 >  +        <para>It is important that you list each user that needs to
 >  +          login to this machine, otherwise they will be locked out.</para>
 >  +      </note>
 >  +
 >  +      <para>After making any changes to <filename>sshd_config</filename>
 >  +         you must restart &man.sshd.8; by running:</para>
 >  +
 >  +      <programlisting>&prompt.root; killall -HUP sshd</programlisting>
 >  +    </sect2>
 >  +
 >  +    <sect2>
 >         <title>Further Reading</title>
 >         <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
 >         <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 
 
 
 Marc



More information about the freebsd-doc mailing list