calestyo at scientia.net
2015-Feb-21 02:09 UTC
[PATCH] document evaluation of {Allow|Deny}{Users|Groups}
From: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name> ? Document what the evaluation order of AllowUsers, DenyUsers, AllowGroups and DenyGroups actually means. Fixes bug #2292. Signed-off-by: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name> --- sshd_config.5 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sshd_config.5 b/sshd_config.5 index fd44abe..a10b113 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -116,6 +116,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 @@ -176,6 +178,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 @@ -460,6 +464,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 @@ -479,6 +485,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 -- 2.1.4
Jakub Jelen
2015-Feb-22 12:55 UTC
[PATCH] document evaluation of {Allow|Deny}{Users|Groups}
On 02/21/2015 03:09 AM, calestyo at scientia.net wrote:> +The first one that matches determines whether the login is allowed or > +denied, with the later processed directives being ignored.This is actually not true. You can specify {Allow|Deny}{Users|Groups} multiple times and all of the rows are applied. Greetings, Jakub