I just downloaded newest snapshot and noticed that problem is still present. I am not sure why I didn't get any reply about my previous message, probably it wasn't too clear so I try now again. And I noticed one problem with previous patch so here is fixed and far more tested version of patch. So problem is hopefully best described by this way... When admin wants to allow invidual user to access ssh and add user in sshd_config like this: AllowUsers testuser In sshd_config there is also following line: AllowGroups admins ssh In this case testuser is not member of admins or ssh. Now when testuser tries to connect it just enters to fake login loop and therefor wont allow user to login. Current code doest checking if following order: - checks is user deny list defined if so then check is user in deny list, if so fail - checks is user allow list defined if so then check is user in allow list, if not fail - checks is users group list defined if so then check is users group listed in deny list, if so fail - checks is users group list defined if so then check is users group listed in allow list, if not fail and in this case user was in user allow list but it's group wasn't in group listed in group allow list so he was denied to login. this patch changes it to following: - check is user deny list define if so then check is user in deny list, if so fail - check is user allow list defined if so then check is user in allow list, if not then if group allow list isn't defined then fail - check is users group in deny list, if so fail - check is user allow list defined if not then if user wasn't in allow list then check against users group list if group isn't there then fail One problem is that if user is listed in allow users list and his group is listed in deny group list he can't login. I am not sure how you ment it to work so I didn't include it in this patch. But it is very easy to implement if wanted so. -------------- next part -------------- diff openssh-SNAP-20000829/auth.c openssh/auth.c 53a54> int user_in_allow_list = 0;109a111,112> { > user_in_allow_list = 1;111,112c114,120 < /* i < options.num_allow_users iff we break for loop */ < if (i >= options.num_allow_users) ---> } > /* i < options.num_allow_users if we break for loop > to allow allow users and allow groups colive we can't > quit with error message when user wasn't listed in > allow users list > */ > if (i >= options.num_allow_users && !options.num_allow_groups)131a140,143> * > * If user was listed in AllowUsers and not mentioned on > * deny lists then we do not need to check against > * AllowGroups definition133c145 < if (options.num_allow_groups > 0) { ---> if (options.num_allow_groups > 0 && !user_in_allow_list) {