Serverwide access control permits or denies connections from particular hosts or Internet domains, or to specific user accounts on the server machine. It’s applied separately from authentication: for example, even if a user’s identity is legitimate, you might still want to reject connections from her computer. Similarly, if a particular computer or Internet domain has poor security policies, you might want to reject all SSH connection attempts from that domain.

SSH access control is scantily documented and has many subtleties and “gotchas.” The configuration keywords look obvious in meaning, but they aren’t. Our primary goal in this section is to illuminate the murky corners so that you can develop a correct and effective access-control configuration.

Keep in mind that SSH access to an account is permitted only if both the server and the account are configured to allow it. If a server accepts SSH connections to all accounts it serves, individual users may still deny connections to their accounts. [8.2] Likewise, if an account is configured to permit SSH access, the SSH server on its host can nonetheless forbid access. This two-level system applies to all SSH access control, so we won’t state it repeatedly. Figure 5-2 summarizes the two-level access control system.^[68]

Figure 5-2. Access control levels