user at host in AllowUsers

Allan Stokes allan at
Fri Jun 15 00:42:54 EST 2001

> This has been a feature of SSH.COM's sshd for a long time, and this is
> what the book is probably referring to.

On page 6 the SSH book provides a secret decoder ring:

SSH    - generic term
SSH-1  - the SSH protocol version 1
SSH-2  - the SSH protocol version 2
SSH1   - TY's ssh1
SSH2   - TY's ssh2
ssh    - the client program (which is sometimes called ssh1 and ssh2)
OpenSSH  - OpenSSH from the OpenBSD project
OpenSSH/1 - OpenSSH's behaviour wrt SSH-1
OpenSSH/2 - OpenSSH's behaviour wrt SSH-2

Section 5.5.2 gives examples of access control.  I'll cite the examples
attributed to OpenSSH which include wildcards, grouped by scope, ignoring
examples which focus on Accept/Deny interaction.

# SSH1, SSH2, OpenSSH
AllowUsers ?mith
AllowUsers s*@*.edu      # page 179

# SSH1, OpenBSD
AllowUsers smith jones cs*
AllowGroups ?aculty s*s

Hmm, not much meets the stated criteria.

I'll also quote one small passage:
Finally, here is a useful configuration example, expressed in SSH1 syntax:
  AllowUsers walrus@* carpenter@* *@*

We can cross out "probably referring" and replace it with "explicitly

The SSH book explicitly documents that OpenSSH handles this syntax
(erroneously for the time being) with a tip of the hat about the utility of
this feature.


More information about the openssh-unix-dev mailing list