Kent Wick
2011-May-20 18:14 UTC
Possible error in coding of AllowUsers / AllowGroups in ssh 5.8p2
What I was trying to do:
I wanted to use the AllowGroups facility to allow users in by group instead of
listing individual usernames but also allow root only from a single central
host.
Setup actions:
targetusername on target host has a secondary group entry of "staff".
Updated sshd_config to add the lines:
AllowUsers root at nimsrvr
AllowGroups staff
targertusername is NOT listed in AllowUsers
Stopped and started sshd
Attempted to ssh from another host as "ssh targetusername at targethost
date"
I always get the syslog message "user X from Y not allowed because not
listed in AllowUsers.
The possible error (as I see it): The man page reads as if I should be able to
specify a groupname or list of groupnames without having to specify a list of
usernames. (it should be treated as an "or" condition). The way that
I read the code in "auth.c" is:
If the AllowUsers option is present, check the targetusername against the
AllowedUsers list. If it is not in the list, return false (which appears to
reject the login). Only if the targetusername is in the AllowUsers list will
the code then check the AllowGroups list.
It appears that the code treats the AllowUsers / AllowGroups as an
"and" condition rather than an "or" condition as the man
page implies.
So either the code needs to change or the man page needs to change to be more
explicit on the processing of the parameters. :)
Kent Wick
512 867 7325
Unix System Admin
Reasonably Related Threads
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- Question about AllowUsers and AllowGroups
- problem with AllowUsers and AllowGroups
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- AllowUsers AllowGroups + WinBind
Wisdom of the Ancients
