Date: Wed, 27 Apr 2005 21:15:53 +0200 From: Marc Fonvieille <blackend@FreeBSD.org> To: Brad Davis <so14k@so14k.com> Cc: bug-followup@FreeBSD.org Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section Message-ID: <20050427191552.GI54002@gothic.blackend.org> In-Reply-To: <200504271900.j3RJ0Wp3039174@freefall.freebsd.org> References: <200504271900.j3RJ0Wp3039174@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 27, 2005 at 07:00:32PM +0000, Brad Davis wrote: > The following reply was made to PR docs/80416; it has been noted by GNATS. > > From: Brad Davis <so14k@so14k.com> > To: bug-followup@freebsd.org > Cc: > Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section > Date: Wed, 27 Apr 2005 12:58:35 -0600 > > Fix a typo where my fingers got ahead of themselves. Noticed by remko@ > > > --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 01:28:51 2005 > +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 12:56:10 2005 > @@ -4546,6 +4546,39 @@ > </sect2> > > <sect2> > + <title>AllowUsers - Controlling what users are allowed to login > + and from where</title> > + I think you don't need to mention the option name in the title, but you have to respect "Chigaco style" for titles like: <title>Controlling Which Users Are Allowed to Login and From Where</title> > + <para>It is often a good idea to only allow users to login from a > + certain host and not allow other users to login at all. > + AllowUsers is a good way to accomplish this. For example, to The <literal>AllowUsers<literal> option is a good way to accomplish this. For example, to > + only allow the root user to login from <hostid only allow the <username>root</username> user to login from <hostid > + role="ipaddr">192.168.1.32</hostid>, something like this would > + be appropriate for &man.sshd_config.5;:</para> be appropriate in the <filename>/etc/ssh/sshd_config</filename> file:</para> > + > + <programlisting>AllowUsers root@192.168.1.32</programlisting> > + > + <para>To allow a user, admin, to login from anywhere, use a > + <quote>*</quote>:</para> <para>To allow a user, <username>admin</username>, to login from anywhere, use the following:</para> > + > + <programlisting>AllowUsers admin@*</programlisting> > + <programlisting>AllowUsers admin</programlisting> yes, @* is useless > + > + <para>Multiple users will all be listed on the same line:</para> > + > + <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting> <programlisting>AllowUsers root@192.168.1.32 admin</programlisting> > + > + <note> > + <para>It is important that you list each user that needs to > + login to this machine, otherwise they will be locked out.</para> > + </note> > + > + <para>After making any changes to <filename>sshd_config</filename> > + you must restart &man.sshd.8; by running:</para> > + > + <programlisting>&prompt.root; killall -HUP sshd</programlisting> > + </sect2> > + > + <sect2> > <title>Further Reading</title> > <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para> > <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; Marc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050427191552.GI54002>