Problem, possibly bug with AllowUsers & DenyUsers

Andy Tsouladze andyb1 at
Fri May 9 15:25:04 EST 2008

On Fri, 9 May 2008, Peter Stuge wrote:

> On Thu, May 08, 2008 at 11:42:23PM -0500, Andy Tsouladze wrote:
>> Essentially, regular users should be able to login from any
>> network, while root should be able to login only from a private
>> network
>> AllowUsers root at 192.168.88.* !root@*
>> Result: BAD. root can login only from but other
>> users cannot login at all.
> What if you change the order and/or space to a comma?
> AllowUsers !root@*,root at 192.168.88.*

Tried it - does not make a difference.  Besides, even

AllowUsers !root@*

alone does not work.  I was not able to find a single instance where 
negation would work.

> You could also try using Match.

Great idea!  It does seem to accomplish what I need, but I have to use 
multiple Match lines, like this:

PermitRootLogin no
Match Address 192.168.89.*
PermitRootLogin yes
Match Address 192.168.88.*
PermitRootLogin yes

BTW, negation does not work within Match block either...

Thanks a lot,


Dr Andy Tsouladze
Sr Unix SysAdmin/System Architect
United Airlines

More information about the openssh-unix-dev mailing list