Note on sshd_config Setup

What’s sshd_config?

It’s “OpenSSH SSH daemon configuration file”

Simply means the config file for OpenSSH Server.

Located at /etc/ssh/sshd_config

My reference

http://www.freebsd.org/cgi/man.cgi?query=sshd_config

ListenAddress and Port

By default, OpenSSH will listen on port 22 for all address(0.0.0.0 and ::)

There can be multiple Port defined, for example:

Port 22
Port 622

OpenSSH will listen on both ports

ListenAddress specify the address to listen, the address can be hostname, ipv4 or ipv6

You may also add an optional port number, for example:

ListenAddress 192.168.1.120
ListenAddress 1.2.3.4:922
ListenAddress ddns.example.com

OpenSSH will listen on 192.168.1.120 and ddns.example.com at port 22, plus 1.2.3.4 port 922

If there are multiple “Port” specified:

Port 22
Port 622
ListenAddress 192.168.1.120
ListenAddress 1.2.3.4:922
ListenAddress ddns.example.com

Then 192.168.1.120:22   192.168.1.120:622   1.2.3.4:922  ddns.example.com:22  ddns.example.com:622 are listened

 

If port is not specified, sshd will listen on the address and all prior Port options specified.

Access Control:

Process order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

If none of the four is defined, login is allowed fro all users.

If Allow* is defined, login is only allowed to declared users and groups.

Only username and groupname are accepted, UID and GID are NOT.

In the following example, only ‘root’ and ‘user’ are allowed

PermitRootLogin yes
AllowUsers root user

In the following example, only ‘user2’ is denied.

DenyUsers user2

Limit user to specified destination address and port

Supposed the OpenSSH server is listening to multiple IPs (1.1.1.1 and 2.2.2.2)

At the end of sshd_config file: add:

# Only user'git' can access to server address 2.2.2.2
Match LocalAddress 2.2.2.2
AllowUsers git

You may also specify port

# Only user'git' can access to server at port 622
Match LocalPort 622
AllowUsers git

You may also specify address and port

# Only user'git' can access to server 2.2.2.2:622
Match LocalAddress 2.2.2.2 LocalPort 622
AllowUsers git

Note:

Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.

 

Limit user from specified source address

# Allow root only from client_ddns.example.com and Allow 'user from' 67.67.67.0/24
# Allow user2 from any host 
AllowUsers root@client_ddns.example.com user@67.67.67.* user2

More details on HOST:

Host: Restricts the following declarations (up to the next Host or Match keyword) to be only for those hosts that match one of the patterns given after the keyword. If more than one pattern is provided, they should be separated by whitespace. A single `*’ as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). A pattern entry may be negated by prefixing it with an exclama- tion mark (`!’). If a negated entry is matched, then the Host entry is ignored, regardless of whether any other patterns on the line match. Negated matches are therefore useful to provide exceptions for wildcard matches.

Here is another approach using Match:

At the end of sshd_config file: add:

# Only user'git' can access to server address 2.2.2.2
Match Address 67.67.67.0/24 User user
AllowUsers user