[vox-tech] quick questions about sshd_config
Cylar Z
cylarz at yahoo.com
Mon Dec 4 04:04:28 PST 2006
Hi all,
Running Fedora Core 6 and have a few noob questions.
I'm attempting to improve system security via the use
of the AllowUser and DenyUser directives in
/etc/ssh/sshd_config. I have been all over Google and
have found many pages such as this one:
http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html
However, I have a few questions which aren't answered
by any of the guides I've found:
1. Where exactly in the config file does the
Allow/DenyUsers directives go? There aren't any
"dummy" allow or deny directives in the file as-is, to
guide me. Does it matter where in the file that I put
them?
2. Does saying "DenyUsers root" prohibit root from
logging in at all, or just directly? I've already
specified "PermitRootLogin no" elsewhere in the file
(so to become root, a user must log in with a regular
account and then use su - ), so wouldn't this be
redundant?
3. What I want to do is permit only 3 accounts to ssh
in directly. Is this how I'd say it?
AllowUsers user1 user2 user3
DenyUsers *
There's no indication in the guide pages, however,
that AllowUsers would would take precedence over
DenyUsers, or vice-versa. I guess I'm afraid to just
experiment with this, for fear of locking myself out
of the system completely, or at least wind up being
unable to access it remotely. It's a hassle to travel
to where the system is physically located.
4. Am I correct in assuming that the accounts which
specify "nologin" in /etc/password (such as "nobody",
"apache", etc) would be unaffected by changes to
/etc/ssh/sshd_config? Since they don't actually
connect to the system using sshd?
Would I also be correct in assuming that logins
directly at the physical console would be similarly
unaffected? I would think that the SSH daemon would
only be concerned with incoming remote connections.
Any insight would be appreciated.
Thanks, Matt
---------------------------------------------------------------------
Rather than appoint yourself judge, jury, and executioner, why not leave it to the One who already is?
More information about the vox-tech
mailing list