Multiple AllowGroup lines in sshd_config?

Brian Candler b.candler at pobox.com
Thu Mar 2 19:43:52 AEDT 2023


On 02/03/2023 16:11, Erik Thuning wrote:
> am wondering about sshd's behaviour when encountering multiple 
> AllowGroup lines.
>
> The manual states "For each keyword, the first obtained value will be 
> used.", so that gives me the impression that any lines after the first 
> should be ignored. However, my testing seems to contradict this - if I 
> have two lines granting access to different groups, both groups get 
> access.
>
> So it seems like these are equivalent:
>
>> AllowGroups foo bar
>
>> AllowGroups foo
>> AllowGroups bar
>
>
> Is this behaviour to be expected?

I see the same as you, but I think it's to be expected.  There are other 
settings like HostKey and AcceptEnv which can be repeated and which are 
combined into a list of values.

You can see this if you run /usr/sbin/sshd -T

...
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowgroups redis
allowgroups brian
acceptenv LANG
acceptenv LC_*
...

I get the same whether I use

AllowGroups redis brian

or

AllowGroups redis
AllowGroups brian

Similarly, if I put "AcceptEnv blah" then this is added to the other 
AcceptEnv settings - it does not override them (and I don't know how to 
empty the list).

I agree that the "For each keyword..." note in the sshd_config manpage 
could be misleading for these cases.

Regards,

Brian.


More information about the openssh-unix-dev mailing list