[openssh-commits] [openssh] 01/08: upstream: clarify order of AllowUsers/DenyUsers vs

git+noreply at mindrot.org git+noreply at mindrot.org
Sun Jan 26 10:34:57 AEDT 2020 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit bf986a9e2792555e0879a3145fa18d2b49436c74
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sat Jan 25 22:36:22 2020 +0000

    upstream: clarify order of AllowUsers/DenyUsers vs
    
    AllowGroups/DenyGroups; bz1690, ok markus@
    
    OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd
---
 sshd_config.5 | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/sshd_config.5 b/sshd_config.5
index 63a7dfdd..d47cb0d2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.300 2020/01/25 07:09:14 tedu Exp $
+.\" $OpenBSD: sshd_config.5,v 1.301 2020/01/25 22:36:22 djm Exp $
 .Dd $Mdocdate: January 25 2020 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -113,11 +113,8 @@ If specified, login is allowed only for users whose primary
 group or supplementary group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
+The allow/deny groups directives are processed in the following order:
 .Cm DenyGroups ,
-and finally
 .Cm AllowGroups .
 .Pp
 See PATTERNS in
@@ -173,12 +170,9 @@ are separately checked, restricting logins to particular
 users from particular hosts.
 HOST criteria may additionally contain addresses to match in CIDR
 address/masklen format.
-The allow/deny directives are processed in the following order:
+The allow/deny users directives are processed in the following order:
 .Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
+.Cm AllowUsers .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5
@@ -552,11 +546,8 @@ Login is disallowed for users whose primary group or supplementary
 group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
+The allow/deny groups directives are processed in the following order:
 .Cm DenyGroups ,
-and finally
 .Cm AllowGroups .
 .Pp
 See PATTERNS in
@@ -573,12 +564,9 @@ are separately checked, restricting logins to particular
 users from particular hosts.
 HOST criteria may additionally contain addresses to match in CIDR
 address/masklen format.
-The allow/deny directives are processed in the following order:
+The allow/deny users directives are processed in the following order:
 .Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
+.Cm AllowUsers .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list