bugzilla-daemon at mindrot.org
2020-Jul-18 15:26 UTC
[Bug 3193] New: Add separate section in sshd_config man page on Access Control
https://bugzilla.mindrot.org/show_bug.cgi?id=3193 Bug ID: 3193 Summary: Add separate section in sshd_config man page on Access Control Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: spamfilter at satchell.net In the sshd_config man page, I suggest you add a separate section to provide a summary of common access control methods. ACCESS CONTROL In sshd, the access controls are placed in the configuration file. The following example is a starting point for a simple access policy: PermitRootLogin no DenyUsers @* DenyGroups root AllowUsers user at 10.1.1.* # Local network AllowUsers user at 1.2.3.4 # External site 1 AllowUsers user at 76.209.1.162 # External site 2 Match group ssh-users AllowUsers * The PermitRootLogin directive prevents ne'er-do-wells from brute-force attacking your root password. The DenyGroups directive backs up the no-root-login policy The DenyUsers wild card establishes a mostly-closed security policy. Each AllowUsers directive permits unrestricted access for "user" sourced from the specified IPv4 address. (*** IPv6 example?) The Match directive and the accompanying AllowUsers predicate permits any user, belonging to group "ssh-users", to log in from anywhere. (Remember not to specify "ssh-users" as a group for root.) A safer predicate would be "AllowUsers *@10.1.1.*" to limit access on the local LAN. ---- Permission to use the above granted. If y'all think it appropriate, you can include verbage describing how AllowUsers, DenyUsers, AllowGroups, and DenyGroups interact. Also, what directives can trump other directives. In particular, how sshd handles overlapping AllowUsers and DenyUsers directives -- which wins? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-18 15:27 UTC
[Bug 3193] Add separate section in sshd_config man page on Access Control
https://bugzilla.mindrot.org/show_bug.cgi?id=3193 Stephen Satchell <spamfilter at satchell.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |spamfilter at satchell.net -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-21 13:42 UTC
[Bug 3193] Add separate section in sshd_config man page on Access Control
https://bugzilla.mindrot.org/show_bug.cgi?id=3193 --- Comment #1 from Stephen Satchell <spamfilter at satchell.net> --- I've added a bit to my new server using Open SSH. This is specific to a server, not a general access system To summarize: # Boilerplate PermitRootLogin no PermitEmptyPasswords no IgnoreRhosts yes DenyUsers root # Add DenyUsers for all "role" accounts DenyUsers nobody # Set up mostly-closed security model DenyUsers @* # Allow specific user from internal network AllowUsers user at 10.1.1.* # Allow specific user from outside IP address AllowUsers user at 1.2.3.4 AllowUsers user at 5.6.7.8 AllowUsers user at 9.10.11.12 Again, permission to use is given to anyone. -- You are receiving this mail because: You are watching the assignee of the bug.
Maybe Matching Threads
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- AllowUsers "logic" and failure to indicate bad configuration
- Patch for changing expired passwords
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))