l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2006 Dec 07 16:42

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] quick questions about sshd_config
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] quick questions about sshd_config



Hi all,

Running Fedora Core 6 and have a few noob questions.

I'm attempting to improve system security via the use
of the AllowUser and DenyUser directives in
/etc/ssh/sshd_config. I have been all over Google and
have found many pages such as this one:

http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html

However, I have a few questions which aren't answered
by any of the guides I've found:

1. Where exactly in the config file does the
Allow/DenyUsers directives go? There aren't any
"dummy" allow or deny directives in the file as-is, to
guide me. Does it matter where in the file that I put
them?

2. Does saying "DenyUsers root" prohibit root from
logging in at all, or just directly? I've already
specified "PermitRootLogin no" elsewhere in the file
(so to become root, a user must log in with a regular
account and then use su - ), so wouldn't this be
redundant? 

3. What I want to do is permit only 3 accounts to ssh
in directly. Is this how I'd say it?

AllowUsers user1 user2 user3
DenyUsers *

There's no indication in the guide pages, however,
that AllowUsers would  would take precedence over
DenyUsers, or vice-versa. I guess I'm afraid to just
experiment with this, for fear of locking myself out
of the system completely, or at least wind up being
unable to access it remotely. It's a hassle to travel
to where the system is physically located.

4. Am I correct in assuming that the accounts which
specify "nologin" in /etc/password (such as "nobody",
"apache", etc) would be unaffected by changes to
/etc/ssh/sshd_config? Since they don't actually
connect to the system using sshd?

Would I also be correct in assuming that logins
directly at the physical console would be similarly
unaffected? I would think that the SSH daemon would
only be concerned with incoming remote connections.

Any insight would be appreciated.

Thanks, Matt



---------------------------------------------------------------------
Rather than appoint yourself judge, jury, and executioner, why not leave it to the One who already is?
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!