l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2006 Dec 04 14:47

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] quick questions about sshd_config
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] quick questions about sshd_config



On Mon, 4 Dec 2006, Cylar Z wrote:

1. Where exactly in the config file does the
Allow/DenyUsers directives go? There aren't any
"dummy" allow or deny directives in the file as-is, to
guide me. Does it matter where in the file that I put
them?
Just toss it in anywhere; just make sure you don't use the same directive twice.

2. Does saying "DenyUsers root" prohibit root from
logging in at all, or just directly? I've already
specified "PermitRootLogin no" elsewhere in the file
(so to become root, a user must log in with a regular
account and then use su - ), so wouldn't this be
redundant?
Yes, it is redundant if PermitRootLogin is set to no.

3. What I want to do is permit only 3 accounts to ssh
in directly. Is this how I'd say it?

AllowUsers user1 user2 user3
DenyUsers *

There's no indication in the guide pages, however,
that AllowUsers would  would take precedence over
DenyUsers, or vice-versa. I guess I'm afraid to just
experiment with this, for fear of locking myself out
of the system completely, or at least wind up being
unable to access it remotely. It's a hassle to travel
to where the system is physically located.
You need a serial console.

what I do is

AllowGroups peoplethatcanlogin

and the just change the /etc/group file. The deny others is implicit when you add an allow statement.

4. Am I correct in assuming that the accounts which
specify "nologin" in /etc/password (such as "nobody",
"apache", etc) would be unaffected by changes to
/etc/ssh/sshd_config? Since they don't actually
connect to the system using sshd?
correct

Would I also be correct in assuming that logins
directly at the physical console would be similarly
unaffected? I would think that the SSH daemon would
only be concerned with incoming remote connections.
also correct.
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!