I have a question on the meaning of AllowUsers in the /etc/sshd_conf configuration file.
Do you use "AllowUsers username ..." to enforce a deny all except policy versus using "DenyUsers" to just deny certain users.
If you have the entry:
Code:
AllowUsers mike john
Does this mean that all users are denied except for the users "mike" and "john".
The example on page 295 of "Securing and Optimizing Linux: The Ultimate Solution" seems to imply that this is the case.
http://www.tldp.org/LDP/solrhe/Secur...ution-v2.0.pdf
Also, how is AllowGroups used in combination with AllowUsers?
If you have 3 members of the wheel group that you want to allow to log into ssh and allow the users "mike" and "john" access who are not members of the wheel group, would this suffice:
Code:
AllowGroups wheel
AllowUsers mike john
or would the AllowUsers entry take precedence?
Would this combination
Code:
DenyUsers *
AllowGroups wheel sshusers
allow the members of the wheel group and the members of the sshusers group access and deny all other users?
My understanding is that for a workstation or home computer, with a small fixed set of users, using AllowUsers alone is the best plan of action, whereas for a server that has many users connecting, using AllowGroups and denying systems users with DenyUsers to control access and using PAM for authentication would work best.
One last question. Does the order of the Deny and Allow entries make a difference?