It seems the syntax for AllowUsers in sshd_config is not the same that is
given in man sshd_config and in several documentation on the web.
(http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config)
e.g.
AllowUsers root
does work.
AllowUsers root username
does not work.
If I try to login as root I get "User root from <hostname> not allowed
because not listed in AllowUsers". I tried separating by comma (just in
case) which fails as well.
man page mentions checking against hosts only if you use a root@hostname
pattern there.
AllowUser root@* username
works for me (with root, didin't check the username), but this should not
be necessary according to documentation.
If "root" is allowed as a "pattern" it doesn't matter if there are more
"patterns" coming or not.
It seems that as soon as two names are listed it's read as one user ("root
username"), e.g. it does not use the whitespace as a terminator.
UsePAM=no , in case that makes a difference.
CentOS 5.9, standard OpenSSH.
I've noticed this discrepancy already in the past, but didn't investigate.
I also think that this syntax contradicts what man ssh_config says about
pattern lists, because for pattern-lists (which I understand is a list of
patterns for one directive) ssh wants a comma-separated list.
http://www.openssh.com/cgi-bin/man.cgi?query=ssh_config
(man sshd_config says to look in ssh_config for pattern syntax.)
I think this is a serious bug as it can lock you out very quickly while
you want to secure your machine (once you want to have more than one
user).
Do you share the same opinion or am I doing something wrong and it works
like advertised?
Kai
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
