Kai Schaetzl
2014-Jun-26 10:52 UTC
[CentOS] sshd_config AllowUsers syntax wrong in documentation
It seems the syntax for AllowUsers in sshd_config is not the same that is
given in man sshd_config and in several documentation on the web.
(http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config)
e.g.
AllowUsers root
does work.
AllowUsers root username
does not work.
If I try to login as root I get "User root from <hostname> not
allowed
because not listed in AllowUsers". I tried separating by comma (just in
case) which fails as well.
man page mentions checking against hosts only if you use a root at hostname
pattern there.
AllowUser root@* username
works for me (with root, didin't check the username), but this should not
be necessary according to documentation.
If "root" is allowed as a "pattern" it doesn't matter if
there are more
"patterns" coming or not.
It seems that as soon as two names are listed it's read as one user
("root
username"), e.g. it does not use the whitespace as a terminator.
UsePAM=no , in case that makes a difference.
CentOS 5.9, standard OpenSSH.
I've noticed this discrepancy already in the past, but didn't
investigate.
I also think that this syntax contradicts what man ssh_config says about
pattern lists, because for pattern-lists (which I understand is a list of
patterns for one directive) ssh wants a comma-separated list.
http://www.openssh.com/cgi-bin/man.cgi?query=ssh_config
(man sshd_config says to look in ssh_config for pattern syntax.)
I think this is a serious bug as it can lock you out very quickly while
you want to secure your machine (once you want to have more than one
user).
Do you share the same opinion or am I doing something wrong and it works
like advertised?
Kai
Arun Khan
2014-Jun-27 06:38 UTC
[CentOS] sshd_config AllowUsers syntax wrong in documentation
On Thu, Jun 26, 2014 at 4:22 PM, Kai Schaetzl <maillists at conactive.com> wrote:> It seems the syntax for AllowUsers in sshd_config is not the same that is > given in man sshd_config and in several documentation on the web. > (http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config) > > e.g. > > AllowUsers root > > does work. > > AllowUsers root usernameIIRC, I had encountered similar issue on a Debian box but did not investigate much. Instead, I went with the "AllowGroups" option e.g. AllowGroups admins and add users to the group. Only members of the group can login with ssh. HTH, -- Arun Khan