Show Contents / Index / Search

Configuring Client Host Access

Edit the server configuration file (/etc/ssh2/sshd2_config) to control access to the server. The following keywords configure settings for client host computers: AllowHosts, DenyHosts, HostSpecificConfig. You can specify hosts using either IP addresses or domain names. The server first tries to match using the IP address of the client. If that fails, it tries to match using a domain name.

Note: The ResolveClientHostname setting controls whether the server attempts to resolve the client IP address to a domain name, and the default is 'yes'. The resolved domain name for a client is always the fully qualified domain name. This means that when you add a host to the allow or deny list using a domain name, you must either use a fully qualified domain name, or a regular expression, to ensure that host domain names are handled correctly. For example, if you deny access to the client "mypc", the client will be able to connect. You must explicitly deny access to "mypc\.myhost\.com" or use an expression such as "mypc\..*" to ensure that this client is denied access.

You can also configure the server to force a match based on IP address. To force matching to a specific IP address, start the host expression using a backslash followed by i (\i). For example:

DenyHosts = \i123.45.78.9

To match a range of IP addresses using a CIDR (Classless Inter-Domain Routing) subnet, start the host expression using a backslash followed by m (\m). For example:

DenyHosts = \m123.123.0.0/16

Note: If you use either \i or \m regular expressions are not supported within the IP address.

Related Topics

Using Allow and Deny Keywords