From bdavis@house.so14k.com  Wed Apr 27 18:43:46 2005
Return-Path: <bdavis@house.so14k.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 607CF16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Apr 2005 18:43:46 +0000 (GMT)
Received: from ender.liquidneon.com (ender.liquidneon.com [64.78.150.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BD7CB43D66
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Apr 2005 18:43:45 +0000 (GMT)
	(envelope-from bdavis@house.so14k.com)
Received: from localhost (localhost [127.0.0.1])
	by ender.liquidneon.com (Postfix) with ESMTP id 39D67A6C30
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Apr 2005 12:43:45 -0600 (MDT)
Received: from ender.liquidneon.com ([127.0.0.1])
 by localhost (ender.liquidneon.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 52134-02 for <FreeBSD-gnats-submit@freebsd.org>;
 Wed, 27 Apr 2005 12:43:45 -0600 (MDT)
Received: from mccaffrey.house.so14k.com (gw.house.so14k.com [216.87.87.128])
	by ender.liquidneon.com (Postfix) with ESMTP id DE2C1A6C22
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Apr 2005 12:43:44 -0600 (MDT)
Received: by mccaffrey.house.so14k.com (Postfix, from userid 1001)
	id 75DCAB86E; Wed, 27 Apr 2005 12:43:44 -0600 (MDT)
Message-Id: <20050427184344.75DCAB86E@mccaffrey.house.so14k.com>
Date: Wed, 27 Apr 2005 12:43:44 -0600 (MDT)
From: Brad Davis <so14k@so14k.com>
Reply-To: Brad Davis <so14k@so14k.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Add information on how to use AllowUsers to the OpenSSH section 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         80416
>Category:       docs
>Synopsis:       Add information on how to use AllowUsers to the OpenSSH section
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 27 18:50:20 GMT 2005
>Closed-Date:    Tue Jun 07 16:25:08 GMT 2005
>Last-Modified:  Tue Jun 07 16:25:08 GMT 2005
>Originator:     Brad Davis
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
	System: FreeBSD mccaffrey.house.so14k.com 5.4-STABLE FreeBSD 5.4-STABLE #0: Wed Apr 20 22:22:19 MDT 2005 root@mccaffrey.house.so14k.com:/usr/obj/usr/src/sys/SMP i386
>Description:
	Add information on how to use AllowUsers to the OpenSSH section.
>How-To-Repeat:
>Fix:

--- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 01:28:51 2005
+++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 05:55:23 2005
@@ -1,4 +1,4 @@
-<!--
+t!--
      The FreeBSD Documentation Project
 
      $FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.269 2005/04/26 13:43:06 keramida Exp $
@@ -4543,6 +4543,39 @@
 	    8000, successfully evading the firewall.</para>
         </sect4>
       </sect3>
+    </sect2>
+
+    <sect2>
+      <title>AllowUsers - Controlling what users are allowed to login
+        and from where</title>
+
+      <para>It is often a good idea to only allow users to login from a
+        certain host and not allow other users to login at all.
+        AllowUsers is a good way to accomplish this. For example, to
+        only allow the root user to login from <hostid
+        role="ipaddr">192.168.1.32</hostid>, something like this would
+        be appropriate for &man.sshd_config.5;:</para>
+
+      <programlisting>AllowUsers root@192.168.1.32</programlisting>
+
+      <para>To allow a user, admin, to login from anywhere, use a
+        <quote>*</quote>:</para>
+
+      <programlisting>AllowUsers admin@*</programlisting>
+
+      <para>Multiple users will all be listed on the same line:</para>
+
+      <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting>
+
+      <note>
+        <para>It is important that you list each user that needs to
+          login to this machine, otherwise they will be locked out.</para>
+      </note>
+
+      <para>After making any changes to <filename>sshd_config</filename>
+         you must restart &man.sshd.8; by running:</para>
+
+      <programlisting>&prompt.root; killall -HUP sshd</programlisting>
     </sect2>
 
     <sect2>
>Release-Note:
>Audit-Trail:

From: Brad Davis <so14k@so14k.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Wed, 27 Apr 2005 12:58:35 -0600

 Fix a typo where my fingers got ahead of themselves. Noticed by remko@
 
 
 --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 01:28:51 2005
 +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 12:56:10 2005
 @@ -4546,6 +4546,39 @@
      </sect2>
  
      <sect2>
 +      <title>AllowUsers - Controlling what users are allowed to login
 +        and from where</title>
 +
 +      <para>It is often a good idea to only allow users to login from a
 +        certain host and not allow other users to login at all.
 +        AllowUsers is a good way to accomplish this. For example, to
 +        only allow the root user to login from <hostid
 +        role="ipaddr">192.168.1.32</hostid>, something like this would
 +        be appropriate for &man.sshd_config.5;:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32</programlisting>
 +
 +      <para>To allow a user, admin, to login from anywhere, use a
 +        <quote>*</quote>:</para>
 +
 +      <programlisting>AllowUsers admin@*</programlisting>
 +
 +      <para>Multiple users will all be listed on the same line:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting>
 +
 +      <note>
 +        <para>It is important that you list each user that needs to
 +          login to this machine, otherwise they will be locked out.</para>
 +      </note>
 +
 +      <para>After making any changes to <filename>sshd_config</filename>
 +         you must restart &man.sshd.8; by running:</para>
 +
 +      <programlisting>&prompt.root; killall -HUP sshd</programlisting>
 +    </sect2>
 +
 +    <sect2>
        <title>Further Reading</title>
        <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
        <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 

From: Marc Fonvieille <blackend@FreeBSD.org>
To: Brad Davis <so14k@so14k.com>
Cc: freebsd-doc@FreeBSD.org, bug-followup@FreeBSD.org
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Wed, 27 Apr 2005 21:15:53 +0200

 On Wed, Apr 27, 2005 at 07:00:32PM +0000, Brad Davis wrote:
 > The following reply was made to PR docs/80416; it has been noted by GNATS.
 > 
 > From: Brad Davis <so14k@so14k.com>
 > To: bug-followup@freebsd.org
 > Cc:  
 > Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
 > Date: Wed, 27 Apr 2005 12:58:35 -0600
 > 
 >  Fix a typo where my fingers got ahead of themselves. Noticed by remko@
 >  
 >  
 >  --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 01:28:51 2005
 >  +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 12:56:10 2005
 >  @@ -4546,6 +4546,39 @@
 >       </sect2>
 >   
 >       <sect2>
 >  +      <title>AllowUsers - Controlling what users are allowed to login
 >  +        and from where</title>
 >  +
 
 I think you don't need to mention the option name in the title, but you
 have to respect "Chigaco style" for titles like:
 
 	  <title>Controlling Which Users Are Allowed to Login and From
 	    Where</title>
 
 >  +      <para>It is often a good idea to only allow users to login from a
 >  +        certain host and not allow other users to login at all.
 >  +        AllowUsers is a good way to accomplish this. For example, to
 
             The <literal>AllowUsers<literal> option is a good way to
 	    accomplish this.  For example, to
 
 >  +        only allow the root user to login from <hostid
 
 	    only allow the <username>root</username> user to login
 	    from <hostid
 
 >  +        role="ipaddr">192.168.1.32</hostid>, something like this would
 >  +        be appropriate for &man.sshd_config.5;:</para>
 
 	    be appropriate in the
 	    <filename>/etc/ssh/sshd_config</filename> file:</para>
 
 >  +
 >  +      <programlisting>AllowUsers root@192.168.1.32</programlisting>
 >  +
 >  +      <para>To allow a user, admin, to login from anywhere, use a
 >  +        <quote>*</quote>:</para>
 
 	  <para>To allow a user, <username>admin</username>, to login
 	    from anywhere, use the following:</para>
 
 >  +
 >  +      <programlisting>AllowUsers admin@*</programlisting>
 
 >  +      <programlisting>AllowUsers admin</programlisting>
 
 		yes, @* is useless
 
 >  +
 >  +      <para>Multiple users will all be listed on the same line:</para>
 >  +
 >  +      <programlisting>AllowUsers root@192.168.1.32 admin@*</programlisting>
 
 	  <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
 >  +
 >  +      <note>
 >  +        <para>It is important that you list each user that needs to
 >  +          login to this machine, otherwise they will be locked out.</para>
 >  +      </note>
 >  +
 >  +      <para>After making any changes to <filename>sshd_config</filename>
 >  +         you must restart &man.sshd.8; by running:</para>
 >  +
 >  +      <programlisting>&prompt.root; killall -HUP sshd</programlisting>
 >  +    </sect2>
 >  +
 >  +    <sect2>
 >         <title>Further Reading</title>
 >         <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
 >         <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 
 
 
 Marc

From: Brad Davis <so14k@so14k.com>
To: bug-followup@freebsd.org, blackend@freebsd.org, danger@rulez.sk
Cc:  
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Wed, 27 Apr 2005 17:20:44 -0600

 Updated with corrections based on input by blackend@ and Daniel Gerzo.
 
 
 --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 01:28:51 2005
 +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 17:18:13 2005
 @@ -4546,6 +4546,41 @@
      </sect2>
  
      <sect2>
 +      <title>AllowUsers - Controlling What Users Are Allowed to Login
 +        and From Where</title>
 +
 +      <para>It is often a good idea to only allow users to login from a
 +        certain host and not allow other users to login at all.  The
 +        <literal>AllowUsers</literal> options is a good way to
 +        accomplish this.  For example, to only allow the root user to
 +        login from <hostid role="ipaddr">192.168.1.32</hostid>,
 +        something like this would be appropriate in the
 +        <filename>/etc/ssh/sshd_config</filename> file:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32</programlisting>
 +
 +      <para>To allow a user, <username>admin</username>, to login from
 +        anywhere, just list the username by itself:</para>
 +
 +      <programlisting>AllowUsers admin</programlisting>
 +
 +      <para>Multiple users will all be listed on the same line:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
 +
 +      <note>
 +        <para>It is important that you list each user that needs to
 +          login to this machine, otherwise they will be locked out.</para>
 +      </note>
 +
 +      <para>After making any changes to
 +         <filename>/etc/ssh/sshd_config</filename> you must tell
 +         &man.sshd.8; to reload it's config files, by running:</para>
 +
 +      <programlisting>&prompt.root; /etc/rc.d/sshd reload</programlisting>
 +    </sect2>
 +
 +    <sect2>
        <title>Further Reading</title>
        <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
        <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 

From: Brad Davis <so14k@so14k.com>
To: bug-followup@freebsd.org, blackend@freebsd.org
Cc:  
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Wed, 27 Apr 2005 18:18:34 -0600

 Add <varname> tags in the title around AllowUsers so that it is visiable
 (for those who know what they are looking for...).
 
 
 
 --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 01:28:51 2005
 +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Wed Apr 27 18:16:38 2005
 @@ -4546,6 +4546,41 @@
      </sect2>
  
      <sect2>
 +      <title><varname>AllowUsers</varname> - Controlling What Users Are
 +        Allowed to Login and From Where</title>
 +
 +      <para>It is often a good idea to only allow users to login from a
 +        certain host and not allow other users to login at all.  The
 +        <literal>AllowUsers</literal> options is a good way to
 +        accomplish this.  For example, to only allow the root user to
 +        login from <hostid role="ipaddr">192.168.1.32</hostid>,
 +        something like this would be appropriate in the
 +        <filename>/etc/ssh/sshd_config</filename> file:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32</programlisting>
 +
 +      <para>To allow a user, <username>admin</username>, to login from
 +        anywhere, just list the username by itself:</para>
 +
 +      <programlisting>AllowUsers admin</programlisting>
 +
 +      <para>Multiple users will all be listed on the same line:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
 +
 +      <note>
 +        <para>It is important that you list each user that needs to
 +          login to this machine, otherwise they will be locked out.</para>
 +      </note>
 +
 +      <para>After making any changes to
 +         <filename>/etc/ssh/sshd_config</filename> you must tell
 +         &man.sshd.8; to reload it's config files, by running:</para>
 +
 +      <programlisting>&prompt.root; /etc/rc.d/sshd reload</programlisting>
 +    </sect2>
 +
 +    <sect2>
        <title>Further Reading</title>
        <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
        <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 
Responsible-Changed-From-To: freebsd-doc->jcamou  
Responsible-Changed-By: jcamou 
Responsible-Changed-When: Mon May 2 06:52:24 GMT 2005 
Responsible-Changed-Why:  
Grab it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80416 

From: Brad Davis <so14k@so14k.com>
To: bug-followup@freebsd.org, jcamou@freebsd.org, trhodes@freebsd.org
Cc:  
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Thu, 26 May 2005 19:42:06 -0600

 More changes based on input from trhodes@
 
 
 
 --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Thu May 26 19:04:27 2005
 +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Thu May 26 19:38:05 2005
 @@ -4548,6 +4548,40 @@
      </sect2>
  
      <sect2>
 +      <title>The <varname>AllowUsers</varname> Users Option</title>
 +
 +      <para>It is often a good idea to limit what users can login and
 +        from where.  The <literal>AllowUsers</literal> option is a good
 +        way to accomplish this.  For example, to only allow the
 +        <username>root</username> user to login from
 +        <hostid role="ipaddr">192.168.1.32</hostid>, something like this
 +        would be appropriate in the
 +        <filename>/etc/ssh/sshd_config</filename> file:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32</programlisting>
 +
 +      <para>To allow a user, <username>admin</username>, to login from
 +        anywhere, just list the username by itself:</para>
 +
 +      <programlisting>AllowUsers admin</programlisting>
 +
 +      <para>Multiple users should be listed on the same line, like so:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
 +
 +      <note>
 +        <para>It is important that you list each user that needs to
 +          login to this machine, otherwise they will be locked out.</para>
 +      </note>
 +
 +      <para>After making changes to
 +         <filename>/etc/ssh/sshd_config</filename> you must tell
 +         &man.sshd.8; to reload it's config files, by running:</para>
 +
 +      <screen>&prompt.root; <userinput>/etc/rc.d/sshd reload</userinput>/screen>
 +    </sect2>
 +
 +    <sect2>
        <title>Further Reading</title>
        <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
        <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1; 
 
Responsible-Changed-From-To: jcamou->brd 
Responsible-Changed-By: brd 
Responsible-Changed-When: Wed Jun 1 17:56:57 GMT 2005 
Responsible-Changed-Why:  
Over to me. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80416 

From: Ceri Davies <ceri@FreeBSD.org>
To: Brad Davis <brd@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/80416: Add information on how to use AllowUsers to the OpenSSH section
Date: Wed, 1 Jun 2005 22:16:49 +0100

 --IS0zKkzwUGydFO0o
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Hey Brad,
 
 Here are the nits :)
 
 --- doc-ori/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Thu May 26=
  19:04:27 2005
 +++ doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml	Thu May 26 19:=
 38:05 2005
 @@ -4548,6 +4548,40 @@
      </sect2>
 =20
      <sect2>
 +      <title>The <varname>AllowUsers</varname> Users Option</title>
 +
 +      <para>It is often a good idea to limit what users can login and
 
 s/what/which/, and "login" isn't actually a verb, so s/login/log in/ (yes,
 I know that this is inconsistent in the existing docs).
 
 +        from where.  The <literal>AllowUsers</literal> option is a good
 +        way to accomplish this.  For example, to only allow the
 +        <username>root</username> user to login from
 
 s/login/log in/
 
 
 +        <hostid role=3D"ipaddr">192.168.1.32</hostid>, something like this
 +        would be appropriate in the
 +        <filename>/etc/ssh/sshd_config</filename> file:</para>
 +
 +      <programlisting>AllowUsers root@192.168.1.32</programlisting>
 +
 +      <para>To allow a user, <username>admin</username>, to login from
 +        anywhere, just list the username by itself:</para>
 
 Too many commas.  All Americans (and Germans) are guilty of this; don't
 feel bad :) I'd suggest:
 
        <para>To allow the user <username>admin</username> to log in from
          anywhere, just list the username by itself:</para>
 
 +      <para>Multiple users should be listed on the same line, like so:</pa=
 ra>
 +
 +      <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
 +
 +      <note>
 +        <para>It is important that you list each user that needs to
 +          login to this machine, otherwise they will be locked out.</para>
 
 Blah, login/log in again.  Also, that comma should be a semicolon.
 
 +      <para>After making changes to
 +         <filename>/etc/ssh/sshd_config</filename> you must tell
 +         &man.sshd.8; to reload it's config files, by running:</para>
 
 OK, now is my major #1 bugbear (and this is in the Apache logs patch
 too) - if "it's" refers to anything other than "it is" or "it has", then
 you have it wrong and you should have written "its" instead.
 
 Other than that, this looks good!
 
 Ceri
 --=20
 Only two things are infinite, the universe and human stupidity, and I'm
 not sure about the former.			  -- Einstein (attrib.)
 
 --IS0zKkzwUGydFO0o
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.1 (FreeBSD)
 
 iD8DBQFCniXAocfcwTS3JF8RAlw2AJsEWDOu2x3ULcm+2aLQ/f/NvZY1RwCgnyXI
 PBA/BAwaHyDOLhvUD+/13mE=
 =Kf7e
 -----END PGP SIGNATURE-----
 
 --IS0zKkzwUGydFO0o--
State-Changed-From-To: open->closed 
State-Changed-By: brd 
State-Changed-When: Tue Jun 7 16:23:30 GMT 2005 
State-Changed-Why:  
Commited. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80416 
>Unformatted:
