openssh bugs - Jul 2020 - [Bug 3193] New: Add separate section in sshd_config man page on Access Control

https://bugzilla.mindrot.org/show_bug.cgi?id=3193

            Bug ID: 3193
           Summary: Add separate section in sshd_config man page on Access
                    Control
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: spamfilter at satchell.net

In the sshd_config man page, I suggest you add a separate section to
provide a summary of common access control methods.

ACCESS CONTROL

In sshd, the access controls are placed in the configuration file.  The
following example is a starting point for a simple access policy:

  PermitRootLogin no
  DenyUsers  @*
  DenyGroups root
  AllowUsers user at 10.1.1.*       # Local network
  AllowUsers user at 1.2.3.4        # External site 1
  AllowUsers user at 76.209.1.162   # External site 2
  Match group ssh-users
    AllowUsers *

The PermitRootLogin directive prevents ne'er-do-wells from brute-force
attacking your root password. The DenyGroups directive backs up the
no-root-login policy

The DenyUsers wild card establishes a mostly-closed security policy.

Each AllowUsers directive permits unrestricted access for "user"
sourced from the specified IPv4 address.  (*** IPv6 example?)

The Match directive and the accompanying AllowUsers predicate permits
any user, belonging to group "ssh-users", to log in from anywhere.
(Remember not to specify "ssh-users" as a group for root.)  A safer
predicate would be "AllowUsers *@10.1.1.*" to limit access on the
local
LAN.

----
Permission to use the above granted.

If y'all think it appropriate, you can include verbage describing how
AllowUsers, DenyUsers, AllowGroups, and DenyGroups interact.  Also,
what directives can trump other directives.  In particular, how sshd
handles overlapping AllowUsers and DenyUsers directives -- which wins?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3193

Stephen Satchell <spamfilter at satchell.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |spamfilter at satchell.net

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3193

--- Comment #1 from Stephen Satchell <spamfilter at satchell.net> ---
I've added a bit to my new server using Open SSH.  This
is specific to a server, not a general access system
To summarize:

# Boilerplate
PermitRootLogin         no
PermitEmptyPasswords    no
IgnoreRhosts            yes
DenyUsers  root
# Add DenyUsers for all "role" accounts
DenyUsers  nobody
# Set up mostly-closed security model
DenyUsers  @*
# Allow specific user from internal network
AllowUsers user at 10.1.1.*
# Allow specific user from outside IP address
AllowUsers user at 1.2.3.4
AllowUsers user at 5.6.7.8
AllowUsers user at 9.10.11.12

Again, permission to use is given to anyone.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.