[vox-tech] quick questions about sshd_config
Luke Crawford
lsc at prgmr.com
Mon Dec 4 04:22:43 PST 2006
On Mon, 4 Dec 2006, Cylar Z wrote:
> 1. Where exactly in the config file does the
> Allow/DenyUsers directives go? There aren't any
> "dummy" allow or deny directives in the file as-is, to
> guide me. Does it matter where in the file that I put
> them?
Just toss it in anywhere; just make sure you don't use the same directive
twice.
>
> 2. Does saying "DenyUsers root" prohibit root from
> logging in at all, or just directly? I've already
> specified "PermitRootLogin no" elsewhere in the file
> (so to become root, a user must log in with a regular
> account and then use su - ), so wouldn't this be
> redundant?
Yes, it is redundant if PermitRootLogin is set to no.
> 3. What I want to do is permit only 3 accounts to ssh
> in directly. Is this how I'd say it?
> AllowUsers user1 user2 user3
> DenyUsers *
>
> There's no indication in the guide pages, however,
> that AllowUsers would would take precedence over
> DenyUsers, or vice-versa. I guess I'm afraid to just
> experiment with this, for fear of locking myself out
> of the system completely, or at least wind up being
> unable to access it remotely. It's a hassle to travel
> to where the system is physically located.
You need a serial console.
what I do is
AllowGroups peoplethatcanlogin
and the just change the /etc/group file. The deny others is implicit
when you add an allow statement.
> 4. Am I correct in assuming that the accounts which
> specify "nologin" in /etc/password (such as "nobody",
> "apache", etc) would be unaffected by changes to
> /etc/ssh/sshd_config? Since they don't actually
> connect to the system using sshd?
correct
> Would I also be correct in assuming that logins
> directly at the physical console would be similarly
> unaffected? I would think that the SSH daemon would
> only be concerned with incoming remote connections.
also correct.
More information about the vox-tech
mailing list