Add information on how to use sshd's AllowUser option.

PR:			docs/80416
Submitted By:	me
Approved By:	ceri (mentor)

en_US.ISO8859-1/books/handbook/security/chapter.sgml

@@ -4547,6 +4547,40 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
       </sect3>
     </sect2>
 
+    <sect2>
+      <title>The <varname>AllowUsers</varname> Users Option</title>
+
+      <para>It is often a good idea to limit which users can log in and
+        from where.  The <literal>AllowUsers</literal> option is a good
+        way to accomplish this.  For example, to only allow the
+        <username>root</username> user to log in from
+        <hostid role="ipaddr">192.168.1.32</hostid>, something like this
+        would be appropriate in the
+        <filename>/etc/ssh/sshd_config</filename> file:</para>
+
+      <programlisting>AllowUsers root@192.168.1.32</programlisting>
+
+      <para>To allow the user <username>admin</username> to log in from
+        anywhere, just list the username by itself:</para>
+
+      <programlisting>AllowUsers admin</programlisting>
+
+      <para>Multiple users should be listed on the same line, like so:</para>
+
+      <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
+
+      <note>
+        <para>It is important that you list each user that needs to
+          log in to this machine; otherwise they will be locked out.</para>
+      </note>
+
+      <para>After making changes to
+         <filename>/etc/ssh/sshd_config</filename> you must tell
+         &man.sshd.8; to reload its config files, by running:</para>
+
+      <screen>&prompt.root; <userinput>/etc/rc.d/sshd reload</userinput>/screen>
+    </sect2>
+
     <sect2>
       <title>Further Reading</title>
       <para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>