[Bug 3193] New: Add separate section in sshd_config man page on Access Control
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Jul 19 01:26:29 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3193
Bug ID: 3193
Summary: Add separate section in sshd_config man page on Access
Control
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Documentation
Assignee: unassigned-bugs at mindrot.org
Reporter: spamfilter at satchell.net
In the sshd_config man page, I suggest you add a separate section to
provide a summary of common access control methods.
ACCESS CONTROL
In sshd, the access controls are placed in the configuration file. The
following example is a starting point for a simple access policy:
PermitRootLogin no
DenyUsers @*
DenyGroups root
AllowUsers user at 10.1.1.* # Local network
AllowUsers user at 1.2.3.4 # External site 1
AllowUsers user at 76.209.1.162 # External site 2
Match group ssh-users
AllowUsers *
The PermitRootLogin directive prevents ne'er-do-wells from brute-force
attacking your root password. The DenyGroups directive backs up the
no-root-login policy
The DenyUsers wild card establishes a mostly-closed security policy.
Each AllowUsers directive permits unrestricted access for "user"
sourced from the specified IPv4 address. (*** IPv6 example?)
The Match directive and the accompanying AllowUsers predicate permits
any user, belonging to group "ssh-users", to log in from anywhere.
(Remember not to specify "ssh-users" as a group for root.) A safer
predicate would be "AllowUsers *@10.1.1.*" to limit access on the local
LAN.
----
Permission to use the above granted.
If y'all think it appropriate, you can include verbage describing how
AllowUsers, DenyUsers, AllowGroups, and DenyGroups interact. Also,
what directives can trump other directives. In particular, how sshd
handles overlapping AllowUsers and DenyUsers directives -- which wins?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list