bugzilla-daemon at mindrot.org
2015-Apr-28 08:49 UTC
[Bug 2391] New: Enhance AllowGroups documentation in man page
https://bugzilla.mindrot.org/show_bug.cgi?id=2391
Bug ID: 2391
Summary: Enhance AllowGroups documentation in man page
Product: Portable OpenSSH
Version: 6.8p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Documentation
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Our customer got into problems using AllowGroup in combination with
AllowUsers, because documentation in this part is little bit unclear.
Original problem is that when you use AllowUsers in combination with
AllowGroups, only users who are specified in AllowUsers AND some of
their group is in AllowGroups can login.
Minimal test case:
/etc/ssh/sshd_config>AllowUsers user
>AllowGroups user
user:user can log in
/etc/ssh/sshd_config>AllowUsers user
>AllowGroups othergroup
user:user can NOT log in
/etc/ssh/sshd_config>AllowUsers otheruser
>AllowGroups user
user:user can NOT log in
Manual page states:> ".. The allow/deny directives are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups."
There is not mentioned what happens, if you succeed with User. If the
chain continues to Groups tests or not. This should be clear not to
confuse users.
In spite of all the other bugs related to similar issue (#2292, #1690)
I would say that this should be properly documented. Changes in
evaluation can be pretty dangerous.
Customer propose to mention this exact use case:>If both AllowGroups and AllowUsers are specified, both must succeed before
login is allowed.
My proposal is more generic. I would append such a sentence after above
mentioned quote:> All of the user and group tests must succeed, before user is allowed to
login.
If I don't miss something, this should explain it little bit better and
avoid further confusion.
--
You are receiving this mail because:
You are watching the assignee of the bug.
Possibly Parallel Threads
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- [Bug 3193] New: Add separate section in sshd_config man page on Access Control
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- AllowUsers "logic" and failure to indicate bad configuration
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Wisdom of the Ancients
