diff options
Diffstat (limited to 'etc/ssh')
| -rw-r--r-- | etc/ssh/sshd_config | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index d5d12057..bf7498f8 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -9,7 +9,26 @@ KbdInteractiveAuthentication no UsePAM yes # when ssh into this remote server, client if use alacritty need `SendEnv COLORTERM` to send the env to server, so server ls can default output color, more see comments in my alacritty.toml config AcceptEnv COLORTERM -AllowUsers gitolite@10.0.0.0/24 + +# https://unix.stackexchange.com/a/472848 wrote about sshd_config AllowUsers +# CIDR address: "Notice that that will not work with 'inconsistent' addresses +# (where the bits outside the mask are not all 0, eg. 192.168.177.0/22)". My +# understanding is that 177 in binary is 10110001, 32-22=10 so 192.168.177.0 +# last 10 binary are 0100000000, note there's a 1 so it will not work; and +# 192.168.176.0/22 works because its last 10 binary are all 0. `man +# sshd_config` also wrote about this: "Note that the mask length provided must +# be consistent with the address - it is an error to specify a mask length that +# is too long for the address or one with bits set in this host portion of the +# address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively."; the +# second part of the comment "one with bits set in this host portion of the +# address" with the example CIDR ip 192.0.2.0/8 matched my understanding above, +# 192.0.2.0/8 has a 2 which is 10 in binary which is a bit set "in" the CIDR /8 +# range, so it will not work. Just before that quote, it also gives an example +# of 192.0.2.0/24 which should work. Not tested. +# +# My test shows `AllowUsers gitolite@localhost` does not work, so I use +# 127.0.0.1 and ::1 +AllowUsers gitolite@10.0.0.0/24 gitolite@127.0.0.1 gitolite@::1 # Include drop-in configurations Include /etc/ssh/sshd_config.d/*.conf |