[openssh-commits] [openssh] 01/02: upstream: Make it clear that DenyUsers/DenyGroups overrides

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Jan 27 17:50:02 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 409dc952ab88b5232e809e34fd55662c6f75ad81
Author: millert at openbsd.org <millert at openbsd.org>
AuthorDate: Thu Jan 22 15:30:07 2026 +0000

    upstream: Make it clear that DenyUsers/DenyGroups overrides
    
    AllowUsers/AllowGroups. Previously we specified the order in which the
    directives are processed but it was ambiguous as to what happened if both
    matched. OK djm@
    
    OpenBSD-Commit-ID: 6ae0ab52ff796b78486b92a45cd7ec9310e20f4e
---
 sshd_config.5 | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/sshd_config.5 b/sshd_config.5
index 8a51582a5..80cb2cecb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.392 2025/12/18 23:54:10 jsg Exp $
-.Dd $Mdocdate: December 18 2025 $
+.\" $OpenBSD: sshd_config.5,v 1.393 2026/01/22 15:30:07 millert Exp $
+.Dd $Mdocdate: January 22 2026 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -113,9 +113,9 @@ If specified, login is allowed only for users whose primary
 group or supplementary group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
-The allow/deny groups directives are processed in the following order:
-.Cm DenyGroups ,
-.Cm AllowGroups .
+.Cm AllowGroups
+is not consulted for groups matched by
+.Cm DenyGroups .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5
@@ -173,9 +173,9 @@ are separately checked, restricting logins to particular
 users from particular hosts.
 HOST criteria may additionally contain addresses to match in CIDR
 address/masklen format.
-The allow/deny users directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers .
+.Cm AllowUsers
+is not consulted for users matched by
+.Cm DenyUsers .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5
@@ -636,9 +636,9 @@ Login is disallowed for users whose primary group or supplementary
 group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
-The allow/deny groups directives are processed in the following order:
-.Cm DenyGroups ,
-.Cm AllowGroups .
+.Cm AllowGroups
+is not consulted for groups matched by
+.Cm DenyGroups .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5
@@ -657,9 +657,9 @@ are separately checked, restricting logins to particular
 users from particular hosts.
 HOST criteria may additionally contain addresses to match in CIDR
 address/masklen format.
-The allow/deny users directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers .
+.Cm AllowUsers
+is not consulted for users matched by
+.Cm DenyUsers .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list