Kent Wick
2011-May-20 18:14 UTC
Possible error in coding of AllowUsers / AllowGroups in ssh 5.8p2
What I was trying to do: I wanted to use the AllowGroups facility to allow users in by group instead of listing individual usernames but also allow root only from a single central host. Setup actions: targetusername on target host has a secondary group entry of "staff". Updated sshd_config to add the lines: AllowUsers root at nimsrvr AllowGroups staff targertusername is NOT listed in AllowUsers Stopped and started sshd Attempted to ssh from another host as "ssh targetusername at targethost date" I always get the syslog message "user X from Y not allowed because not listed in AllowUsers. The possible error (as I see it): The man page reads as if I should be able to specify a groupname or list of groupnames without having to specify a list of usernames. (it should be treated as an "or" condition). The way that I read the code in "auth.c" is: If the AllowUsers option is present, check the targetusername against the AllowedUsers list. If it is not in the list, return false (which appears to reject the login). Only if the targetusername is in the AllowUsers list will the code then check the AllowGroups list. It appears that the code treats the AllowUsers / AllowGroups as an "and" condition rather than an "or" condition as the man page implies. So either the code needs to change or the man page needs to change to be more explicit on the processing of the parameters. :) Kent Wick 512 867 7325 Unix System Admin
Apparently Analagous Threads
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- Question about AllowUsers and AllowGroups
- problem with AllowUsers and AllowGroups
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- AllowUsers AllowGroups + WinBind