Bug 80416
| Summary: | Add information on how to use AllowUsers to the OpenSSH section | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Documentation | Reporter: | Brad Davis <so14k> | ||||
| Component: | Books & Articles | Assignee: | Brad Davis <brd> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
Brad Davis
2005-04-27 19:50:20 UTC
Fix a typo where my fingers got ahead of themselves. Noticed by remko@
--- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 01:28:51 2005
+++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 12:56:10 2005
@@ -4546,6 +4546,39 @@
</sect2>
<sect2>
+ <title>AllowUsers - Controlling what users are allowed to login
+ and from where</title>
+
+ <para>It is often a good idea to only allow users to login from a
+ certain host and not allow other users to login at all.
+ AllowUsers is a good way to accomplish this. For example, to
+ only allow the root user to login from <hostid
+ role="ipaddr">192.168.1.32</hostid>, something like this would
+ be appropriate for &man.sshd_config.5;:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32</programlisting>
+
+ <para>To allow a user, admin, to login from anywhere, use a
+ <quote>*</quote>:</para>
+
+ <programlisting>AllowUsers admin@*</programlisting>
+
+ <para>Multiple users will all be listed on the same line:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting>
+
+ <note>
+ <para>It is important that you list each user that needs to
+ login to this machine, otherwise they will be locked out.</para>
+ </note>
+
+ <para>After making any changes to <filename>sshd_config</filename>
+ you must restart &man.sshd.8; by running:</para>
+
+ <programlisting>&prompt.root; killall -HUP sshd</programlisting>
+ </sect2>
+
+ <sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
<para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
On Wed, Apr 27, 2005 at 07:00:32PM +0000, Brad Davis wrote: > The following reply was made to PR docs/80416; it has been noted by GNATS. > > From: Brad Davis <so14k@so14k.com> > To: bug-followup@freebsd.org > Cc: > Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section > Date: Wed, 27 Apr 2005 12:58:35 -0600 > > Fix a typo where my fingers got ahead of themselves. Noticed by remko@ > > > --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 01:28:51 2005 > +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 12:56:10 2005 > @@ -4546,6 +4546,39 @@ > </sect2> > > <sect2> > + <title>AllowUsers - Controlling what users are allowed to login > + and from where</title> > + I think you don't need to mention the option name in the title, but you have to respect "Chigaco style" for titles like: <title>Controlling Which Users Are Allowed to Login and From Where</title> > + <para>It is often a good idea to only allow users to login from a > + certain host and not allow other users to login at all. > + AllowUsers is a good way to accomplish this. For example, to The <literal>AllowUsers<literal> option is a good way to accomplish this. For example, to > + only allow the root user to login from <hostid only allow the <username>root</username> user to login from <hostid > + role="ipaddr">192.168.1.32</hostid>, something like this would > + be appropriate for &man.sshd_config.5;:</para> be appropriate in the <filename>/etc/ssh/sshd_config</filename> file:</para> > + > + <programlisting>AllowUsers root@192.168.1.32</programlisting> > + > + <para>To allow a user, admin, to login from anywhere, use a > + <quote>*</quote>:</para> <para>To allow a user, <username>admin</username>, to login from anywhere, use the following:</para> > + > + <programlisting>AllowUsers admin@*</programlisting> > + <programlisting>AllowUsers admin</programlisting> yes, @* is useless > + > + <para>Multiple users will all be listed on the same line:</para> > + > + <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting> <programlisting>AllowUsers root@192.168.1.32 admin</programlisting> > + > + <note> > + <para>It is important that you list each user that needs to > + login to this machine, otherwise they will be locked out.</para> > + </note> > + > + <para>After making any changes to <filename>sshd_config</filename> > + you must restart &man.sshd.8; by running:</para> > + > + <programlisting>&prompt.root; killall -HUP sshd</programlisting> > + </sect2> > + > + <sect2> > <title>Further Reading</title> > <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para> > <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; Marc Updated with corrections based on input by blackend@ and Daniel Gerzo.
--- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 01:28:51 2005
+++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 17:18:13 2005
@@ -4546,6 +4546,41 @@
</sect2>
<sect2>
+ <title>AllowUsers - Controlling What Users Are Allowed to Login
+ and From Where</title>
+
+ <para>It is often a good idea to only allow users to login from a
+ certain host and not allow other users to login at all. The
+ <literal>AllowUsers</literal> options is a good way to
+ accomplish this. For example, to only allow the root user to
+ login from <hostid role="ipaddr">192.168.1.32</hostid>,
+ something like this would be appropriate in the
+ <filename>/etc/ssh/sshd_config</filename> file:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32</programlisting>
+
+ <para>To allow a user, <username>admin</username>, to login from
+ anywhere, just list the username by itself:</para>
+
+ <programlisting>AllowUsers admin</programlisting>
+
+ <para>Multiple users will all be listed on the same line:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
+
+ <note>
+ <para>It is important that you list each user that needs to
+ login to this machine, otherwise they will be locked out.</para>
+ </note>
+
+ <para>After making any changes to
+ <filename>/etc/ssh/sshd_config</filename> you must tell
+ &man.sshd.8; to reload it's config files, by running:</para>
+
+ <programlisting>&prompt.root; /etc/rc.d/sshd reload</programlisting>
+ </sect2>
+
+ <sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
<para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
Add <varname> tags in the title around AllowUsers so that it is visiable
(for those who know what they are looking for...).
--- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 01:28:51 2005
+++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Wed Apr 27 18:16:38 2005
@@ -4546,6 +4546,41 @@
</sect2>
<sect2>
+ <title><varname>AllowUsers</varname> - Controlling What Users Are
+ Allowed to Login and From Where</title>
+
+ <para>It is often a good idea to only allow users to login from a
+ certain host and not allow other users to login at all. The
+ <literal>AllowUsers</literal> options is a good way to
+ accomplish this. For example, to only allow the root user to
+ login from <hostid role="ipaddr">192.168.1.32</hostid>,
+ something like this would be appropriate in the
+ <filename>/etc/ssh/sshd_config</filename> file:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32</programlisting>
+
+ <para>To allow a user, <username>admin</username>, to login from
+ anywhere, just list the username by itself:</para>
+
+ <programlisting>AllowUsers admin</programlisting>
+
+ <para>Multiple users will all be listed on the same line:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
+
+ <note>
+ <para>It is important that you list each user that needs to
+ login to this machine, otherwise they will be locked out.</para>
+ </note>
+
+ <para>After making any changes to
+ <filename>/etc/ssh/sshd_config</filename> you must tell
+ &man.sshd.8; to reload it's config files, by running:</para>
+
+ <programlisting>&prompt.root; /etc/rc.d/sshd reload</programlisting>
+ </sect2>
+
+ <sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
<para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
Responsible Changed From-To: freebsd-doc->jcamou Grab it. More changes based on input from trhodes@
--- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Thu May 26 19:04:27 2005
+++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Thu May 26 19:38:05 2005
@@ -4548,6 +4548,40 @@
</sect2>
<sect2>
+ <title>The <varname>AllowUsers</varname> Users Option</title>
+
+ <para>It is often a good idea to limit what users can login and
+ from where. The <literal>AllowUsers</literal> option is a good
+ way to accomplish this. For example, to only allow the
+ <username>root</username> user to login from
+ <hostid role="ipaddr">192.168.1.32</hostid>, something like this
+ would be appropriate in the
+ <filename>/etc/ssh/sshd_config</filename> file:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32</programlisting>
+
+ <para>To allow a user, <username>admin</username>, to login from
+ anywhere, just list the username by itself:</para>
+
+ <programlisting>AllowUsers admin</programlisting>
+
+ <para>Multiple users should be listed on the same line, like so:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
+
+ <note>
+ <para>It is important that you list each user that needs to
+ login to this machine, otherwise they will be locked out.</para>
+ </note>
+
+ <para>After making changes to
+ <filename>/etc/ssh/sshd_config</filename> you must tell
+ &man.sshd.8; to reload it's config files, by running:</para>
+
+ <screen>&prompt.root; <userinput>/etc/rc.d/sshd reload</userinput>/screen>
+ </sect2>
+
+ <sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
<para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
Responsible Changed From-To: jcamou->brd Over to me. Hey Brad,
Here are the nits :)
--- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml Thu May 26 19:04:27 2005
+++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Thu May 26 19:38:05 2005
@@ -4548,6 +4548,40 @@
</sect2>
<sect2>
+ <title>The <varname>AllowUsers</varname> Users Option</title>
+
+ <para>It is often a good idea to limit what users can login and
s/what/which/, and "login" isn't actually a verb, so s/login/log in/ (yes,
I know that this is inconsistent in the existing docs).
+ from where. The <literal>AllowUsers</literal> option is a good
+ way to accomplish this. For example, to only allow the
+ <username>root</username> user to login from
s/login/log in/
+ <hostid role="ipaddr">192.168.1.32</hostid>, something like this
+ would be appropriate in the
+ <filename>/etc/ssh/sshd_config</filename> file:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32</programlisting>
+
+ <para>To allow a user, <username>admin</username>, to login from
+ anywhere, just list the username by itself:</para>
Too many commas. All Americans (and Germans) are guilty of this; don't
feel bad :) I'd suggest:
<para>To allow the user <username>admin</username> to log in from
anywhere, just list the username by itself:</para>
+ <para>Multiple users should be listed on the same line, like so:</para>
+
+ <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
+
+ <note>
+ <para>It is important that you list each user that needs to
+ login to this machine, otherwise they will be locked out.</para>
Blah, login/log in again. Also, that comma should be a semicolon.
+ <para>After making changes to
+ <filename>/etc/ssh/sshd_config</filename> you must tell
+ &man.sshd.8; to reload it's config files, by running:</para>
OK, now is my major #1 bugbear (and this is in the Apache logs patch
too) - if "it's" refers to anything other than "it is" or "it has", then
you have it wrong and you should have written "its" instead.
Other than that, this looks good!
Ceri
--
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former. -- Einstein (attrib.)
State Changed From-To: open->closed Commited. |
