[vox-tech] quick questions about sshd_config

Cylar Z cylarz at yahoo.com
Mon Dec 4 04:04:28 PST 2006 

Hi all,

Running Fedora Core 6 and have a few noob questions.

I'm attempting to improve system security via the use
of the AllowUser and DenyUser directives in
/etc/ssh/sshd_config. I have been all over Google and
have found many pages such as this one:

http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html

However, I have a few questions which aren't answered
by any of the guides I've found:

1. Where exactly in the config file does the
Allow/DenyUsers directives go? There aren't any
"dummy" allow or deny directives in the file as-is, to
guide me. Does it matter where in the file that I put
them?

2. Does saying "DenyUsers root" prohibit root from
logging in at all, or just directly? I've already
specified "PermitRootLogin no" elsewhere in the file
(so to become root, a user must log in with a regular
account and then use su - ), so wouldn't this be
redundant? 

3. What I want to do is permit only 3 accounts to ssh
in directly. Is this how I'd say it?

AllowUsers user1 user2 user3
DenyUsers *

There's no indication in the guide pages, however,
that AllowUsers would  would take precedence over
DenyUsers, or vice-versa. I guess I'm afraid to just
experiment with this, for fear of locking myself out
of the system completely, or at least wind up being
unable to access it remotely. It's a hassle to travel
to where the system is physically located.

4. Am I correct in assuming that the accounts which
specify "nologin" in /etc/password (such as "nobody",
"apache", etc) would be unaffected by changes to
/etc/ssh/sshd_config? Since they don't actually
connect to the system using sshd?

Would I also be correct in assuming that logins
directly at the physical console would be similarly
unaffected? I would think that the SSH daemon would
only be concerned with incoming remote connections.

Any insight would be appreciated.

Thanks, Matt



---------------------------------------------------------------------
Rather than appoint yourself judge, jury, and executioner, why not leave it to the One who already is?

More information about the vox-tech mailing list