Possible error in coding of AllowUsers / AllowGroups in ssh 5.8p2
Kent Wick
Kent.Wick at ers.state.tx.us
Sat May 21 04:14:59 EST 2011
What I was trying to do:
I wanted to use the AllowGroups facility to allow users in by group instead of listing individual usernames but also allow root only from a single central host.
Setup actions:
targetusername on target host has a secondary group entry of "staff".
Updated sshd_config to add the lines:
AllowUsers root at nimsrvr
AllowGroups staff
targertusername is NOT listed in AllowUsers
Stopped and started sshd
Attempted to ssh from another host as "ssh targetusername at targethost date"
I always get the syslog message "user X from Y not allowed because not listed in AllowUsers.
The possible error (as I see it): The man page reads as if I should be able to specify a groupname or list of groupnames without having to specify a list of usernames. (it should be treated as an "or" condition). The way that I read the code in "auth.c" is:
If the AllowUsers option is present, check the targetusername against the AllowedUsers list. If it is not in the list, return false (which appears to reject the login). Only if the targetusername is in the AllowUsers list will the code then check the AllowGroups list.
It appears that the code treats the AllowUsers / AllowGroups as an "and" condition rather than an "or" condition as the man page implies.
So either the code needs to change or the man page needs to change to be more explicit on the processing of the parameters. :)
Kent Wick
512 867 7325
Unix System Admin
More information about the openssh-unix-dev
mailing list