Hi all, Running Fedora Core 6 and have a few noob questions.
I'm attempting to improve system security via the use of the AllowUser and DenyUser directives in /etc/ssh/sshd_config. I have been all over Google and have found many pages such as this one: http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html However, I have a few questions which aren't answered by any of the guides I've found: 1. Where exactly in the config file does the Allow/DenyUsers directives go? There aren't any "dummy" allow or deny directives in the file as-is, to guide me. Does it matter where in the file that I put them? 2. Does saying "DenyUsers root" prohibit root from logging in at all, or just directly? I've already specified "PermitRootLogin no" elsewhere in the file (so to become root, a user must log in with a regular account and then use su - ), so wouldn't this be redundant? 3. What I want to do is permit only 3 accounts to ssh in directly. Is this how I'd say it? AllowUsers user1 user2 user3 DenyUsers * There's no indication in the guide pages, however, that AllowUsers would would take precedence over DenyUsers, or vice-versa. I guess I'm afraid to just experiment with this, for fear of locking myself out of the system completely, or at least wind up being unable to access it remotely. It's a hassle to travel to where the system is physically located. 4. Am I correct in assuming that the accounts which specify "nologin" in /etc/password (such as "nobody", "apache", etc) would be unaffected by changes to /etc/ssh/sshd_config? Since they don't actually connect to the system using sshd? Would I also be correct in assuming that logins directly at the physical console would be similarly unaffected? I would think that the SSH daemon would only be concerned with incoming remote connections. Any insight would be appreciated. Thanks, Matt --------------------------------------------------------------------- Rather than appoint yourself judge, jury, and executioner, why not leave it to the One who already is? _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
