9.1 Access Control Settings

The table below provides an overview of server settings you can use to control client access to the server.

By default, all client users with an account on the server host can connect to the server, open a terminal session, and access all local files and directories allowed for their user account from any client computer. You can edit the server configuration file (/etc/ssh2/sshd2_config) to customize access for client users, groups, and computers.

To

Use

Set the maximum number of connections

MaxConnections

Set the maximum number of multiplexed sessions supported over a single TCP connection. To disable connection reuse, set this keyword to 1.

MaxSessions

Allow access to specified session types only

SessionRestricted

Control access from client users
  • AllowUsers
  • DenyUsers
  • UserSpecificConfig

Control access from client groups
  • AllowGroups
  • DenyGroups
  • UserSpecificConfig

Control access from client hosts
  • AllowHosts
  • DenyHosts
  • HostSpecificConfig

Control access using TCP Wrappers

LibWrap

Restrict sftp and scp users or groups to a confined directory tree
  • ChrootSftpUsers
  • ChrootSftpGroups

Control upload and download access rights for sftp and scp users.

AllowSftpCommands

Restrict port forwarding
  • AllowTcpForwardingForGroups
  • DenyTcpForwardingForGroups
  • AllowTcpForwardingForUsers
  • DenyTcpForwardingForUsers
  • ForwardACL
  • GatewayPorts
  • AllowX11Forwarding
  • X11UseLocalHost

Configure PAM authentication
  • AccountManagement
  • AuthKbdInt.Required
  • PamServiceName
  • UsePamSessions

Related Topics