Multiple AllowGroup lines in sshd_config?
b.candler at pobox.com
Thu Mar 2 19:43:52 AEDT 2023
On 02/03/2023 16:11, Erik Thuning wrote:
> am wondering about sshd's behaviour when encountering multiple
> AllowGroup lines.
> The manual states "For each keyword, the first obtained value will be
> used.", so that gives me the impression that any lines after the first
> should be ignored. However, my testing seems to contradict this - if I
> have two lines granting access to different groups, both groups get
> So it seems like these are equivalent:
>> AllowGroups foo bar
>> AllowGroups foo
>> AllowGroups bar
> Is this behaviour to be expected?
I see the same as you, but I think it's to be expected. There are other
settings like HostKey and AcceptEnv which can be repeated and which are
combined into a list of values.
You can see this if you run /usr/sbin/sshd -T
I get the same whether I use
AllowGroups redis brian
Similarly, if I put "AcceptEnv blah" then this is added to the other
AcceptEnv settings - it does not override them (and I don't know how to
empty the list).
I agree that the "For each keyword..." note in the sshd_config manpage
could be misleading for these cases.
More information about the openssh-unix-dev