l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2006 Dec 07 16:42

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] quick questions about sshd_config
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] quick questions about sshd_config

Hi all,

Running Fedora Core 6 and have a few noob questions.

I'm attempting to improve system security via the use
of the AllowUser and DenyUser directives in
/etc/ssh/sshd_config. I have been all over Google and
have found many pages such as this one:


However, I have a few questions which aren't answered
by any of the guides I've found:

1. Where exactly in the config file does the
Allow/DenyUsers directives go? There aren't any
"dummy" allow or deny directives in the file as-is, to
guide me. Does it matter where in the file that I put

2. Does saying "DenyUsers root" prohibit root from
logging in at all, or just directly? I've already
specified "PermitRootLogin no" elsewhere in the file
(so to become root, a user must log in with a regular
account and then use su - ), so wouldn't this be

3. What I want to do is permit only 3 accounts to ssh
in directly. Is this how I'd say it?

AllowUsers user1 user2 user3
DenyUsers *

There's no indication in the guide pages, however,
that AllowUsers would  would take precedence over
DenyUsers, or vice-versa. I guess I'm afraid to just
experiment with this, for fear of locking myself out
of the system completely, or at least wind up being
unable to access it remotely. It's a hassle to travel
to where the system is physically located.

4. Am I correct in assuming that the accounts which
specify "nologin" in /etc/password (such as "nobody",
"apache", etc) would be unaffected by changes to
/etc/ssh/sshd_config? Since they don't actually
connect to the system using sshd?

Would I also be correct in assuming that logins
directly at the physical console would be similarly
unaffected? I would think that the SSH daemon would
only be concerned with incoming remote connections.

Any insight would be appreciated.

Thanks, Matt

Rather than appoint yourself judge, jury, and executioner, why not leave it to the One who already is?
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!