Date: Mon, 21 Apr 2008 11:51:20 -0700 From: Simon Gao <gao@schrodinger.com> To: cpghost <cpghost@cordula.ws> Cc: Paul Schmehl <pauls@utdallas.edu>, freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's Message-ID: <480CE228.5000803@schrodinger.com> In-Reply-To: <20080418173443.40f99867@epia-2.farid-hajji.net> References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808D7F4.8000709@radel.com> <C8459F8564E589F21F53D9BF@utd65257.utdallas.edu> <20080418173443.40f99867@epia-2.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
cpghost wrote: > On Fri, 18 Apr 2008 13:46:48 -0500 > Paul Schmehl <pauls@utdallas.edu> wrote: > > >> Let me clarify. When I use the term "host", I'm referring to what >> many would call a "personal workstation" or "personal computer". If >> you have more than one person who has shell access to a computer, >> then you no longer have a host. You have a server. Sure, you may not >> think of it that way, but that's what it is. >> >> Servers are a completely different ballgame, and the decisions you >> make regarding protecting them have everything to do with who has >> access to what. The servers that I referenced in my post have one >> person with root access - me >> - and one user - the owners. No one else has access. So, it's a >> great deal easier for me to lock down the boxes than it is, for >> example, here at work, where *many* people have shell access and more >> than one have root access through sudo or even su. >> > > Sorry for bikeshedding here, since it's just a matter of terminology, > but... > > "Hosts" used to be multi-user machines for a long time, and actually > still are. Most RFCs, including newer ones, refer to "hosts" and mean > "nodes" on the net. They don't care whether the hosts are workstations > used by a single or few user(s), or big multi-user machines with > hundreds of shell accounts. > > "Server" is merely the role a program assumes when it waits passively > for requests from "clients". "Servers" run on "hosts", regardless > of the number of users on those hosts (ranging from 0 to very high). > > Obviously, the security implications vary considerably if you have > to host many user accounts, esp. on hosts used by mission critical > server programs. ;) > > And of course, the bikeshed has to be painted... red! :) > > Regards, > -cpghost. > > Try this: AllowUsers *@127.0.0.1 *@192.168.1.20 joe@<home ip> Simon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?480CE228.5000803>