Recipe 3.14 Restricting Access to an SSH Server by Account
3.14.1 ProblemYou want only certain accounts on your machine to accept incoming SSH connections. 3.14.2 SolutionUse sshd 's AllowUsers keyword in /etc/ssh/sshd_config. For example, to permit SSH connections from anywhere to access the smith and jones accounts, but no other accounts: /etc/ssh/sshd_config: AllowUsers smith jones To allow SSH connections from remote.example.com to the smith account, but no other incoming SSH connections: AllowUsers smith@remote.example.com Note this does not say anything about the remote user "smith@remote.example.com." It is a rule about connections from the site remote.example.com to your local smith account. After modifying sshd_config, restart sshd to incorporate your changes. 3.14.3 DiscussionAllowUsers specifies a list of local accounts that may accept SSH connections. The list is definitive: any account not listed cannot receive SSH connections. The second form of the syntax (user@host) looks unfortunately like an email address, or a reference to a remote user, but it is no such thing. The line: AllowUsers user@remotehost means "allow the remote system called remotehost to connect via SSH to my local account user." A listing in the AllowUsers line does not guarantee acceptance by sshd: the remote user must still authenticate through normal means (password, public key, etc.), not to mention passing any other roadblocks on the way (firewall rules, etc.). 3.14.4 See Alsosshd_config(5). |
EAN: 2147483647
Pages: 247
- Step 1.1 Install OpenSSH to Replace the Remote Access Protocols with Encrypted Versions
- Step 2.1 Use the OpenSSH Tool Suite to Replace Clear-Text Programs
- Step 3.1 Use PuTTY as a Graphical Replacement for telnet and rlogin
- Step 4.5 How to use OpenSSH Passphrase Agents
- Step 4.7 Using Public Key Authentication for Automated File Transfers