Bug 3193

Summary: Add separate section in sshd_config man page on Access Control
Product: Portable OpenSSH Reporter: Stephen Satchell <spamfilter>
Component: DocumentationAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: spamfilter
Priority: P5    
Version: 8.3p1   
Hardware: Other   
OS: Linux   

Description Stephen Satchell 2020-07-19 01:26:29 AEST 
In the sshd_config man page, I suggest you add a separate section to provide a summary of common access control methods.

ACCESS CONTROL

In sshd, the access controls are placed in the configuration file.  The following example is a starting point for a simple access policy:

  PermitRootLogin no
  DenyUsers  @*
  DenyGroups root
  AllowUsers user@10.1.1.*       # Local network
  AllowUsers user@1.2.3.4        # External site 1
  AllowUsers user@76.209.1.162   # External site 2
  Match group ssh-users
    AllowUsers *

The PermitRootLogin directive prevents ne'er-do-wells from brute-force attacking your root password. The DenyGroups directive backs up the no-root-login policy

The DenyUsers wild card establishes a mostly-closed security policy.

Each AllowUsers directive permits unrestricted access for "user" sourced from the specified IPv4 address.  (*** IPv6 example?)

The Match directive and the accompanying AllowUsers predicate permits any user, belonging to group "ssh-users", to log in from anywhere. (Remember not to specify "ssh-users" as a group for root.)  A safer predicate would be "AllowUsers *@10.1.1.*" to limit access on the local LAN.

----
Permission to use the above granted.

If y'all think it appropriate, you can include verbage describing how AllowUsers, DenyUsers, AllowGroups, and DenyGroups interact.  Also, what directives can trump other directives.  In particular, how sshd handles overlapping AllowUsers and DenyUsers directives -- which wins?
Comment 1 Stephen Satchell 2020-07-21 23:42:57 AEST 
I've added a bit to my new server using Open SSH.  This
is specific to a server, not a general access system
To summarize:

# Boilerplate
PermitRootLogin		no
PermitEmptyPasswords 	no
IgnoreRhosts		yes
DenyUsers  root
# Add DenyUsers for all "role" accounts
DenyUsers  nobody
# Set up mostly-closed security model
DenyUsers  @*
# Allow specific user from internal network
AllowUsers user@10.1.1.*
# Allow specific user from outside IP address
AllowUsers user@1.2.3.4
AllowUsers user@5.6.7.8
AllowUsers user@9.10.11.12

Again, permission to use is given to anyone.