AllowUsers "logic" and failure to indicate bad configuration

mpatton at mpatton at
Fri Aug 10 13:38:24 EST 2012

> way. It should not be necessary for AllowUsers to be the superset of
> AllowGroups.

Sorry, I meant to say AllowGroups should not have to include at least one
GID from each of AllowUsers.

I forgot to add that a case could be made for the Allow/Deny directives to
be valid within all Match{} stanzas as well. Right now there is only one
global rule. However, it makes perfect sense to want to selectively
override it.

At first blush I thought that maybe the rules specified in Match{} would
just be used to "flip" the logic arrived at from the main body; eg.
AllowUsers could effectively negate any rejection reached by the main body

Then I thought that maybe it would be better to treat it as a complete
substitution of the matching global rule directive. To me, this seems to
be the most elegant but will have to be clearly spelled out in

The 3rd option would call for ignoring the entire global rule in favor of
building a new one based strictly off the directives contained within
Match{}. Yes, in most cases they'll be a lot of cut/pasting from the
global rule and tweaking them to taste, but the intent of the stanza is

If we were to implement option 2, specifying all 4 directives would
achieve the same result as option 3.


More information about the openssh-unix-dev mailing list