[Contents] [Index]

About This Document>>     Introduction to SSH Secure Shell >>     Configuring SSH Secure Shell >>         Basic Configuration>>             Default Locations of Secure Shell Files             Generating the Host Key             Ciphers and MACs             Compression             Configuring Root Logins             Restricting User Logins         Subconfigurations >>         Configuring SSH Secure Shell for TCP Wrappers Support>>         Configuring SSH2 for SSH1 Compatibility         Forwarding>>     Authentication >>     Log Messages >>     Using SSH Secure Shell >>     Tool Syntax>>     Technical Specifications >>

Restricting User Logins

By default, SSH Secure Shell does not impose any login restrictions in addition to those provided by the operating system. However, you can restrict connections based on host, user name, or group.

The restrictions are defined in the sshd2_config file using the following syntax:

keyword pattern

Note: All the patterns used in the examples below are in accordance with SSH_REGEX_SYNTAX_EGREP, which is the default regex syntax in SSH Secure Shell version 3.0 and above. However, the regex syntax can be chosen by using the metaconfig block in the beginning of ssh2_config and sshd2_config:

## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig

Possible values of REGEX-SYNTAX are ssh, egrep, zsh_fileglob and traditional. For more information, please see the sshregex man pages.

Previous versions of SSH Secure Shell always use SSH_REGEX_SYNTAX_ZSH_FILEGLOB.

Available keywords are the following:

• AllowHosts/DenyHosts

  Login is allowed/denied from hosts whose name matches one of the specified patterns.

  Example 1. Listing complete hostnames.

  AllowHosts      localhost, foobar\.com, friendly\.org             
  

  This allows connections only from specified hosts.

  Example 2. Using patterns with hostnames.

  AllowHosts      h..s.\..* 
  

  This pattern matches, for example, house.foobar.com, house.com, but not house1.com. Note that you have to input the string "\." when you want to specify a literal dot.

  Example 3. Using patterns with IP-addresses.

  AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
  

  This pattern matches any IP address (xxx.xxx.xxx.xxx). However, some host's hostname could also match this pattern.

  Example 4 Using \i.

  AllowHosts      "\i192.*\.3"
  

  When \i is used in the beginning of a pattern, only the host IP addresses are used. The above pattern matches, for example, 192.0.0.3.

• AllowSHosts/DenySHosts

  The .shosts, .rhosts, /etc/shosts.equiv and /etc/hosts.equiv entries are honored only for hosts whose name matches one of the specified patterns. It is recommended to use these keywords with host-based authentication.

• AllowUsers/DenyUsers

  Login is allowed/denied as users whose name matches one of the specified patterns.

  Example 1 Using complete user names

  DenyUsers       devil@evil\.org,warezdude,1337
  

  This denies login as devil when the connection is coming from evil.org. It also denies login (from all addresses) as warezdude and as user whose UID is 1337.

  Example 2 Using patterns with user names

  AllowUsers      "sj*,s[:digit:]+,s(jl|amza)" 
  

  This pattern matches, for example, sjj, sjjj, s1, s123, and samza but not s1x or slj.

  Example 3 Using \i.

  AllowUsers      "sjl@\i192.*\.3"
  

  This would allow login as user sjl from only those hosts whose IP address matches the specified pattern.

• AllowGroups/DenyGroups

  Login is allowed/denied when one of the groups the user belongs to matches one of the specified patterns.

  Example 1

  AllowGroups     root,staff,users        
  

For more information on keywords, please see the sshd2_config man pages.