docs/80416: Add information on how to use AllowUsers to the OpenSSH section

Marc Fonvieille blackend at FreeBSD.org
Wed Apr 27 19:15:56 UTC 2005 

On Wed, Apr 27, 2005 at 07:00:32PM +0000, Brad Davis wrote:
> The following reply was made to PR docs/80416; it has been noted by GNATS.
> 
> From: Brad Davis <so14k at so14k.com>
> To: bug-followup at freebsd.org
> Cc:  
> Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
> Date: Wed, 27 Apr 2005 12:58:35 -0600
> 
>  Fix a typo where my fingers got ahead of themselves. Noticed by remko@
>  
>  
>  --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 01:28:51 2005
>  +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 12:56:10 2005
>  @@ -4546,6 +4546,39 @@
>       </sect2>
>   
>       <sect2>
>  +      <title>AllowUsers - Controlling what users are allowed to login
>  +        and from where</title>
>  +

I think you don't need to mention the option name in the title, but you
have to respect "Chigaco style" for titles like:

	  <title>Controlling Which Users Are Allowed to Login and From
	    Where</title>

>  +      <para>It is often a good idea to only allow users to login from a
>  +        certain host and not allow other users to login at all.
>  +        AllowUsers is a good way to accomplish this. For example, to

            The <literal>AllowUsers<literal> option is a good way to
	    accomplish this.  For example, to

>  +        only allow the root user to login from <hostid

	    only allow the <username>root</username> user to login
	    from <hostid

>  +        role="ipaddr">192.168.1.32</hostid>, something like this would
>  +        be appropriate for &man.sshd_config.5;:</para>

	    be appropriate in the
	    <filename>/etc/ssh/sshd_config</filename> file:</para>

>  +
>  +      <programlisting>AllowUsers root at 192.168.1.32</programlisting>
>  +
>  +      <para>To allow a user, admin, to login from anywhere, use a
>  +        <quote>*</quote>:</para>

	  <para>To allow a user, <username>admin</username>, to login
	    from anywhere, use the following:</para>

>  +
>  +      <programlisting>AllowUsers admin@*</programlisting>

>  +      <programlisting>AllowUsers admin</programlisting>

		yes, @* is useless

>  +
>  +      <para>Multiple users will all be listed on the same line:</para>
>  +
>  +      <programlisting>AllowUsers root at 192.168.1.32 admin@*</programlisting>

	  <programlisting>AllowUsers root at 192.168.1.32 admin</programlisting>
>  +
>  +      <note>
>  +        <para>It is important that you list each user that needs to
>  +          login to this machine, otherwise they will be locked out.</para>
>  +      </note>
>  +
>  +      <para>After making any changes to <filename>sshd_config</filename>
>  +         you must restart &man.sshd.8; by running:</para>
>  +
>  +      <programlisting>&prompt.root; killall -HUP sshd</programlisting>
>  +    </sect2>
>  +
>  +    <sect2>
>         <title>Further Reading</title>
>         <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
>         <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 


Marc

More information about the freebsd-doc mailing list