frost-craft/frost-zx.github.io
1
0
Fork 0
Code Activity
Files
main
frost-zx.github.io/docs/content/linux-ssh-allow-or-deny-user.md
Frost-ZX afea227c37 docs: 更新文章内容
2025-10-13 10:20:34 +08:00

98 lines
3.5 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Linux 允许或禁止指定用户进行 SSH 登录"
date: 2025-03-16T16:04:28Z
lastmod: 2025-03-16T16:06:51Z
tags: [Linux,SSH,配置]
---
# Linux 允许或禁止指定用户进行 SSH 登录
## 参考资料
- [Ubuntu Manpage: sshd_config](http://manpages.ubuntu.com/manpages/precise/en/man5/sshd_config.5.html)
- [Ubuntu Manpage: ssh_config](http://manpages.ubuntu.com/manpages/precise/en/man5/ssh_config.5.html)
## 允许指定用户登录(白名单)
在 sshd 的配置文件 `/etc/ssh/sshd_config` 中添加 `AllowUsers` 项,其后方跟随以空格分隔的用户名 PATTERN 列表。
例如允许 `test-a` 用户和从 `192.168.1.100` 登录的 `test-b` 用户:
```plaintext
AllowUsers test-a test-b@192.168.1.100
```
**原文**
> This keyword can be followed by a list of user name patterns, separated by spaces.
>
> If specified, login is allowed only for user names that match one of the patterns.
>
> Only user names are valid; a numerical user ID is not recognized.
>
> By default, login is allowed for all users.
>
> If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
>
> The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
## 禁止指定用户登录(黑名单)
在 sshd 的配置文件 `/etc/ssh/sshd_config` 中添加 `DenyUsers` 项,,其后方跟随以空格分隔的用户名 PATTERN 列表。
例如禁止 `test-c` 用户和从 `192.168.1.100` 登录的 `test-d` 用户:
```plaintext
DenyUsers test-c test-d@192.168.1.100
```
**原文**
> This keyword can be followed by a list of user name patterns, separated by spaces.
>
> Login is disallowed for user names that match one of the patterns.
>
> Only user names are valid; a numerical user ID is not recognized.
>
> By default, login is allowed for all users.
>
> If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
>
> The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
## PATTERN
一个 PATTERN 由零个或多个非空白字符以及“\*”(匹配零个或多个字符的通配符)或“?”(仅匹配一个字符的通配符)组成。
例如匹配主机 `192.168.0.0` \~ `192.168.0.9`,可以使用:
```plaintext
192.168.0.?
```
**原文**
```plaintext
A pattern consists of zero or more non-whitespace characters, * (a wildcard that matches zero or more characters), or ? (a wildcard that matches exactly one character).
For example, to specify a set of declarations for any host in the “.co.uk” set of domains, the following pattern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns.
Patterns within pattern-lists may be negated by preceding them with an exclamation mark (!).
For example, to allow a key to be used from anywhere within an organisation except from the “dialup” pool, the following entry (in authorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
```
## 注意
- 配置完成后需要重启 `sshd` 服务(例如 `service sshd restart`)。
- 配置的 allow / deny 指令按照此顺序进行处理:`DenyUsers -> AllowUsers -> DenyGroups -> AllowGroups`
View Git Blame Copy Permalink