O'Reilly logo

SSH, The Secure Shell: The Definitive Guide, 2nd Edition by Robert G. Byrnes, Richard E. Silverman, Daniel J. Barrett

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Access Control: Letting People In

Serverwide access control permits or denies connections from particular hosts or Internet domains, or to specific user accounts on the server machine. It’s applied separately from authentication: for example, even if a user’s identity is legitimate, you might still want to reject connections from her computer. Similarly, if a particular computer or Internet domain has poor security policies, you might want to reject all SSH connection attempts from that domain.

SSH access control is scantily documented and has many subtleties and “gotchas.” The configuration keywords look obvious in meaning, but they aren’t. Our primary goal in this section is to illuminate the murky corners so that you can develop a correct and effective access-control configuration.

Keep in mind that SSH access to an account is permitted only if both the server and the account are configured to allow it. If a server accepts SSH connections to all accounts it serves, individual users may still deny connections to their accounts. [8.2] Likewise, if an account is configured to permit SSH access, the SSH server on its host can nonetheless forbid access. This two-level system applies to all SSH access control, so we won’t state it repeatedly. Figure 5-2 summarizes the two-level access control system.[68]

Access control levels

Figure 5-2. Access control levels

5.5.1 Account Access Control

Ordinarily, any account ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required