sshd_config allows multiple AllowUsers lines?

Adam Spragg adam.spragg at octaltelecom.co.uk
Wed Feb 11 05:15:02 EST 2009


Hi,

I've just been adding a few extra hosts to my sshd_config's AllowUsers, and 
it's got a bit unwieldy.

As far as I can tell from the sshd_config(5) and ssh_config(5) man pages, the 
*only* way to specify multiple AllowUsers patterns is on a single line, 
separated by spaces. With more than 6 or 7 patterns it starts wrapping on to 
multiple lines and gets hard to read, especially as the sshd_config file does 
not support backslash newline continuation.

Searching the mailing list archives for AllowUsers, I came across a message 
which implies that multiple DenyUsers (which I assume works the same as 
AllowUsers) lines are permitted[0], and that they are equivalent to a single 
concatenated DenyUsers line. Further, using multiple AllowUsers directives 
appears to work.

But I can find no mention of this behaviour in the man pages.

So, is this guaranteed behaviour, or is it a quirk of the current 
implementation? Is it possible that future implementations will change this 
and only use the first AllowUsers directive, or possibly use only the last, or 
some other behaviour?

If it is guaranteed behaviour, is it documented? If so, where? If not, should 
it be?


Thanks,

Adam Spragg.

[0] http://marc.info/?l=openssh-unix-dev&m=112000646419696&w=2

-- 
Adam Spragg                      mailto:adam.spragg at octaltelecom.co.uk
Developer
Octal Telecom                           http://www.octaltelecom.co.uk/


It reverses the logical flow of conversation!
> Why?
> > No.
> > > Should I top post?

http://www.google.com/search?q=%22top+posting%22



More information about the openssh-unix-dev mailing list