On Mon, 4 Dec 2006, Cylar Z wrote:
1. Where exactly in the config file does the
Allow/DenyUsers directives go? There aren't any
"dummy" allow or deny directives in the file as-is, to
guide me. Does it matter where in the file that I put
them?
Just toss it in anywhere; just make sure you don't use the same directive
twice.
2. Does saying "DenyUsers root" prohibit root from
logging in at all, or just directly? I've already
specified "PermitRootLogin no" elsewhere in the file
(so to become root, a user must log in with a regular
account and then use su - ), so wouldn't this be
redundant?
Yes, it is redundant if PermitRootLogin is set to no.
3. What I want to do is permit only 3 accounts to ssh
in directly. Is this how I'd say it?
AllowUsers user1 user2 user3
DenyUsers *
There's no indication in the guide pages, however,
that AllowUsers would would take precedence over
DenyUsers, or vice-versa. I guess I'm afraid to just
experiment with this, for fear of locking myself out
of the system completely, or at least wind up being
unable to access it remotely. It's a hassle to travel
to where the system is physically located.
You need a serial console.
what I do is
AllowGroups peoplethatcanlogin
and the just change the /etc/group file. The deny others is implicit
when you add an allow statement.
4. Am I correct in assuming that the accounts which
specify "nologin" in /etc/password (such as "nobody",
"apache", etc) would be unaffected by changes to
/etc/ssh/sshd_config? Since they don't actually
connect to the system using sshd?
correct
Would I also be correct in assuming that logins
directly at the physical console would be similarly
unaffected? I would think that the SSH daemon would
only be concerned with incoming remote connections.
also correct.
_______________________________________________
vox-tech mailing list
[email protected]
http://lists.lugod.org/mailman/listinfo/vox-tech
