Multiple AllowGroup lines in sshd_config?

Erik Thuning thuning at
Thu Mar 2 19:11:40 AEDT 2023


I'm experimenting with migrating the custom sshd_config settings for our 
(Debian bullseye, openssh-server 8.4) server environment into fragments 
under sshd_config.d/, and am wondering about sshd's behaviour when 
encountering multiple AllowGroup lines.

The manual states "For each keyword, the first obtained value will be 
used.", so that gives me the impression that any lines after the first 
should be ignored. However, my testing seems to contradict this - if I 
have two lines granting access to different groups, both groups get access.

So it seems like these are equivalent:

> AllowGroups foo bar

> AllowGroups foo
> AllowGroups bar

Is this behaviour to be expected? It could of course also be Debian 
introducing special behaviour, but I thought I should check here first.


More information about the openssh-unix-dev mailing list