sshd config add comment about AllowUsers CIDR ip should be consistent

1 files changed, 15 insertions, 0 deletions

diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
index d5d12057..62793759 100644
--- a/etc/ssh/sshd_config
+++ b/etc/ssh/sshd_config
@@ -9,6 +9,21 @@ KbdInteractiveAuthentication no
 UsePAM yes
 # when ssh into this remote server, client if use alacritty need `SendEnv COLORTERM` to send the env to server, so server ls can default output color, more see comments in my alacritty.toml config
 AcceptEnv COLORTERM
+# https://unix.stackexchange.com/a/472848 wrote about sshd_config AllowUsers
+# CIDR address: "Notice that that will not work with 'inconsistent' addresses
+# (where the bits outside the mask are not all 0, eg. 192.168.177.0/22)". My
+# understanding is that 177 in binary is 10110001, 32-22=10 so 192.168.177.0
+# last 10 binary are 0100000000, note there's a 1 so it will not work; and
+# 192.168.176.0/22 works because its last 10 binary are all 0. `man
+# sshd_config` also wrote about this: "Note that the mask length provided must
+# be consistent with the address - it is an error to specify a mask length that
+# is too long for the address or one with bits set in this host portion of the
+# address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively."; the
+# second part of the comment "one with bits set in this host portion of the
+# address" with the example CIDR ip 192.0.2.0/8 matched my understanding above,
+# 192.0.2.0/8 has a 2 which is 10 in binary which is a bit set "in" the CIDR /8
+# range, so it will not work. Just before that quote, it also gives an example
+# of 192.0.2.0/24 which should work. Not tested.
 AllowUsers gitolite@10.0.0.0/24
 
 # Include drop-in configurations