Can I use AllowUsers *@*.local in /etc/ssh/sshd_config?

I have a local network of machines which, I hope, are all using Zeroconf/Avahi/Bonjour.

I want only users on local machines to be able to ssh to these machines. (All users except root).

Can I just put the lines

PermitRootLogin no
AllowUsers  *@*.local

in /etc/ssh/sshd_config in each of these machines? I’m not sure of wildcard possibilities.

Do I have to worry about what else is in the file and where? (To start off with, all the machines will have Ubuntu Mate 16.04 with default /etc/ssh/sshd_config)

Shouldn't it already be sufficient to have only this line? If you exclude root, then what is left are the local users who should have access via SSH.

Well, I'm not sure. I got the impression that the default ssh server configuration allows access from the Internet. Here are some quotes from Ubuntu documentation. Have I got the wrong end of the stick?

Because a lot of people with SSH servers use weak passwords, many online
attackers will look for an SSH server, then start guessing passwords at


Finally, try logging in from another computer elsewhere on the Internet -
perhaps from work (if your computer is at home) or from home (if your
computer is at your work).

I see. Does this help you?


So maybe I could use

PermitRootLogin no
ListenAddress thiscomputername.local

in each of the machines, although I lose the objective of having identical config files on all machines.

1 Like

Well, I tried that.
No, that doesn't work.

$ ssh faustino.local
[email protected]'s password: 
Permission denied, please try again.

That fails from the same machine, from another machine and if I try ssh localhost. All those worked before I put those directives in.

I'm going to try

AllowUsers *@192.168.0.???

That worked. I mean it allowed
ssh faustino.local
from the machine itself and another machine on .local

Of course, I don't know if it would prevent any logins from outside the legitimate DHCP range.

AllowUsers @.local

Likely the reason this doesn't work, is because nss-mdns does not resolve reverse DNS for IP addresses other than the link local range ( This is by design and per-spec. So this will never work.