From bf986a9e2792555e0879a3145fa18d2b49436c74 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 25 Jan 2020 22:36:22 +0000 Subject: [PATCH] upstream: clarify order of AllowUsers/DenyUsers vs AllowGroups/DenyGroups; bz1690, ok markus@ OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd --- sshd_config.5 | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/sshd_config.5 b/sshd_config.5 index 63a7dfdde..d47cb0d24 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.300 2020/01/25 07:09:14 tedu Exp $ +.\" $OpenBSD: sshd_config.5,v 1.301 2020/01/25 22:36:22 djm Exp $ .Dd $Mdocdate: January 25 2020 $ .Dt SSHD_CONFIG 5 .Os @@ -113,11 +113,8 @@ If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -The allow/deny directives are processed in the following order: -.Cm DenyUsers , -.Cm AllowUsers , +The allow/deny groups directives are processed in the following order: .Cm DenyGroups , -and finally .Cm AllowGroups . .Pp See PATTERNS in @@ -173,12 +170,9 @@ are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. -The allow/deny directives are processed in the following order: +The allow/deny users directives are processed in the following order: .Cm DenyUsers , -.Cm AllowUsers , -.Cm DenyGroups , -and finally -.Cm AllowGroups . +.Cm AllowUsers . .Pp See PATTERNS in .Xr ssh_config 5 @@ -552,11 +546,8 @@ Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -The allow/deny directives are processed in the following order: -.Cm DenyUsers , -.Cm AllowUsers , +The allow/deny groups directives are processed in the following order: .Cm DenyGroups , -and finally .Cm AllowGroups . .Pp See PATTERNS in @@ -573,12 +564,9 @@ are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. -The allow/deny directives are processed in the following order: +The allow/deny users directives are processed in the following order: .Cm DenyUsers , -.Cm AllowUsers , -.Cm DenyGroups , -and finally -.Cm AllowGroups . +.Cm AllowUsers . .Pp See PATTERNS in .Xr ssh_config 5