In the sshd_config man page, I suggest you add a separate section to provide a summary of common access control methods. ACCESS CONTROL In sshd, the access controls are placed in the configuration file. The following example is a starting point for a simple access policy: PermitRootLogin no DenyUsers @* DenyGroups root AllowUsers user@10.1.1.* # Local network AllowUsers user@1.2.3.4 # External site 1 AllowUsers user@76.209.1.162 # External site 2 Match group ssh-users AllowUsers * The PermitRootLogin directive prevents ne'er-do-wells from brute-force attacking your root password. The DenyGroups directive backs up the no-root-login policy The DenyUsers wild card establishes a mostly-closed security policy. Each AllowUsers directive permits unrestricted access for "user" sourced from the specified IPv4 address. (*** IPv6 example?) The Match directive and the accompanying AllowUsers predicate permits any user, belonging to group "ssh-users", to log in from anywhere. (Remember not to specify "ssh-users" as a group for root.) A safer predicate would be "AllowUsers *@10.1.1.*" to limit access on the local LAN. ---- Permission to use the above granted. If y'all think it appropriate, you can include verbage describing how AllowUsers, DenyUsers, AllowGroups, and DenyGroups interact. Also, what directives can trump other directives. In particular, how sshd handles overlapping AllowUsers and DenyUsers directives -- which wins?
I've added a bit to my new server using Open SSH. This is specific to a server, not a general access system To summarize: # Boilerplate PermitRootLogin no PermitEmptyPasswords no IgnoreRhosts yes DenyUsers root # Add DenyUsers for all "role" accounts DenyUsers nobody # Set up mostly-closed security model DenyUsers @* # Allow specific user from internal network AllowUsers user@10.1.1.* # Allow specific user from outside IP address AllowUsers user@1.2.3.4 AllowUsers user@5.6.7.8 AllowUsers user@9.10.11.12 Again, permission to use is given to anyone.