44r0n7/sysadmin-chronicles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: bootstrap lean sysadmin-chronicles repo

Browse Source 
Import the runnable game code, content, docs, scripts, and repo guidance while leaving local agent state, dependency installs, build output, and backup copies out of the published tree.
This commit is contained in:
44r0n7
2026-05-02 11:49:07 -04:00
commit 0265afa054
252 changed files with 37574 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/sage-articles/ssh-access-controls.json
+39
View File
@@ -0,0 +1,39 @@
{
"id": "ssh-access-controls",
"title": "SSH Server Access Controls",
"category": "access",
"tags": ["ssh", "sshd_config", "AllowUsers", "AllowGroups", "security", "hardening"],
"updated": "2025-10-29",
"summary": "Restricting who can SSH in using sshd_config directives.",
"sections": [
{
"heading": "The Config File",
"body": "<p>SSH server configuration lives in <code>/etc/ssh/sshd_config</code>. Drop-in overrides can go in <code>/etc/ssh/sshd_config.d/*.conf</code>.</p><p><strong>Always test your config before reloading:</strong></p>",
"code": "sshd -t\n# If it prints nothing and exits 0, the config is valid.\nsystemctl reload ssh"
},
{
"heading": "AllowUsers and AllowGroups",
"body": "<p>These are whitelist directives. If either is set, only matching users or group members can log in. If neither is set, all users may try.</p>",
"code": "# Only these users may log in\nAllowUsers alice bob deploy\n\n# Only members of these groups may log in\nAllowGroups sshusers ops\n\n# Combining: user must match AllowUsers AND (if AllowGroups is set) be in an allowed group\n# These are independent filters—if both are set, a user must satisfy both."
},
{
"heading": "DenyUsers and DenyGroups",
"body": "<p>Blacklist alternatives. <code>DenyUsers</code> and <code>DenyGroups</code> are checked before Allow rules.</p><p>Prefer <code>AllowUsers</code>/<code>AllowGroups</code> over Deny lists—it is safer to enumerate who <em>can</em> in rather than who cannot.</p>"
},
{
"heading": "Other Common Restrictions",
"body": "",
"code": "# Disable root login entirely (recommended)\nPermitRootLogin no\n\n# Disable password authentication (once keys are working)\nPasswordAuthentication no\n\n# Change the listening port (minor obscurity, not real security)\nPort 2222\n\n# Restrict to specific network interface\nListenAddress 10.42.0.1\n\n# Idle session timeout (seconds × count before disconnect)\nClientAliveInterval 300\nClientAliveCountMax 2"
},
{
"heading": "Match Blocks",
"body": "<p>You can apply different rules to specific users, groups, or source addresses:</p>",
"code": "# Allow password auth only from the management network\nMatch Address 10.42.0.0/24\n PasswordAuthentication yes\n\n# Give one user a restricted shell\nMatch User backup-agent\n ForceCommand /usr/local/bin/backup-only\n AllowTcpForwarding no"
},
{
"heading": "Checking Who Has Access",
"body": "<p>There is no built-in command to list all users who currently satisfy the access rules. Check manually:</p>",
"code": "# Current AllowUsers/AllowGroups settings\ngrep -iE '(AllowUsers|AllowGroups|DenyUsers|DenyGroups)' /etc/ssh/sshd_config\n\n# Members of a group\ngetent group sshusers\n\n# All users with a valid shell (can SSH in if no restrictions)\ngrep -v '/nologin\\|/false' /etc/passwd"
}
]
}