Multiple AllowGroup lines in sshd_config?
Brian Candler
b.candler at pobox.com
Thu Mar 2 19:43:52 AEDT 2023
On 02/03/2023 16:11, Erik Thuning wrote:
> am wondering about sshd's behaviour when encountering multiple
> AllowGroup lines.
>
> The manual states "For each keyword, the first obtained value will be
> used.", so that gives me the impression that any lines after the first
> should be ignored. However, my testing seems to contradict this - if I
> have two lines granting access to different groups, both groups get
> access.
>
> So it seems like these are equivalent:
>
>> AllowGroups foo bar
>
>> AllowGroups foo
>> AllowGroups bar
>
>
> Is this behaviour to be expected?
I see the same as you, but I think it's to be expected. There are other
settings like HostKey and AcceptEnv which can be repeated and which are
combined into a list of values.
You can see this if you run /usr/sbin/sshd -T
...
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowgroups redis
allowgroups brian
acceptenv LANG
acceptenv LC_*
...
I get the same whether I use
AllowGroups redis brian
or
AllowGroups redis
AllowGroups brian
Similarly, if I put "AcceptEnv blah" then this is added to the other
AcceptEnv settings - it does not override them (and I don't know how to
empty the list).
I agree that the "For each keyword..." note in the sshd_config manpage
could be misleading for these cases.
Regards,
Brian.
More information about the openssh-unix-dev
mailing list