Kai Schaetzl
2014-Jun-26 10:52 UTC
[CentOS] sshd_config AllowUsers syntax wrong in documentation
It seems the syntax for AllowUsers in sshd_config is not the same that is given in man sshd_config and in several documentation on the web. (http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config) e.g. AllowUsers root does work. AllowUsers root username does not work. If I try to login as root I get "User root from <hostname> not allowed because not listed in AllowUsers". I tried separating by comma (just in case) which fails as well. man page mentions checking against hosts only if you use a root at hostname pattern there. AllowUser root@* username works for me (with root, didin't check the username), but this should not be necessary according to documentation. If "root" is allowed as a "pattern" it doesn't matter if there are more "patterns" coming or not. It seems that as soon as two names are listed it's read as one user ("root username"), e.g. it does not use the whitespace as a terminator. UsePAM=no , in case that makes a difference. CentOS 5.9, standard OpenSSH. I've noticed this discrepancy already in the past, but didn't investigate. I also think that this syntax contradicts what man ssh_config says about pattern lists, because for pattern-lists (which I understand is a list of patterns for one directive) ssh wants a comma-separated list. http://www.openssh.com/cgi-bin/man.cgi?query=ssh_config (man sshd_config says to look in ssh_config for pattern syntax.) I think this is a serious bug as it can lock you out very quickly while you want to secure your machine (once you want to have more than one user). Do you share the same opinion or am I doing something wrong and it works like advertised? Kai
Arun Khan
2014-Jun-27 06:38 UTC
[CentOS] sshd_config AllowUsers syntax wrong in documentation
On Thu, Jun 26, 2014 at 4:22 PM, Kai Schaetzl <maillists at conactive.com> wrote:> It seems the syntax for AllowUsers in sshd_config is not the same that is > given in man sshd_config and in several documentation on the web. > (http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config) > > e.g. > > AllowUsers root > > does work. > > AllowUsers root usernameIIRC, I had encountered similar issue on a Debian box but did not investigate much. Instead, I went with the "AllowGroups" option e.g. AllowGroups admins and add users to the group. Only members of the group can login with ssh. HTH, -- Arun Khan
Apparently Analagous Threads
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- AllowUsers not working under certain conditions
- AllowUsers Change
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- Question about AllowUsers and AllowGroups