Multiple AllowGroup lines in sshd_config?
Damien Miller
djm at mindrot.org
Fri Mar 3 12:35:43 AEDT 2023
On Thu, 2 Mar 2023, Erik Thuning wrote:
> Hi!
>
> I'm experimenting with migrating the custom sshd_config settings for our
> (Debian bullseye, openssh-server 8.4) server environment into fragments under
> sshd_config.d/, and am wondering about sshd's behaviour when encountering
> multiple AllowGroup lines.
>
> The manual states "For each keyword, the first obtained value will be used.",
> so that gives me the impression that any lines after the first should be
> ignored. However, my testing seems to contradict this - if I have two lines
> granting access to different groups, both groups get access.
>
> So it seems like these are equivalent:
>
> > AllowGroups foo bar
>
> > AllowGroups foo
> > AllowGroups bar
>
>
> Is this behaviour to be expected? It could of course also be Debian
> introducing special behaviour, but I thought I should check here first.
Yeah, sshd_config isn't 100% consistent at implementing first-match-wins
and Allow/DenyUsers/Groups is one of the exceptions. That's not excuse for
our not documenting this.
diff --git a/sshd_config.5 b/sshd_config.5
index 51cf89e..4587f1f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -48,7 +48,7 @@ reads configuration data from
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
-For each keyword, the first obtained value will be used.
+Unless noted otherwise, for each keyword, the first obtained value will be used.
Lines starting with
.Ql #
and empty lines are interpreted as comments.
@@ -120,6 +120,9 @@ The allow/deny groups directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm AllowStreamLocalForwarding
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
The available options are
@@ -177,6 +180,9 @@ The allow/deny users directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm AuthenticationMethods
Specifies the authentication methods that must be successfully completed
for a user to be granted access.
@@ -630,6 +636,9 @@ The allow/deny groups directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm DenyUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
@@ -648,6 +657,9 @@ The allow/deny users directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm DisableForwarding
Disables all forwarding features, including X11,
.Xr ssh-agent 1 ,
More information about the openssh-unix-dev
mailing list