On 02/03/2023 16:11, Erik Thuning wrote:
am wondering about sshd's behaviour when encountering multiple
AllowGroup lines.
The manual states "For each keyword, the first obtained value will be
used.", so that gives me the impression that any lines after the first
should be ignored. However, my testing seems to contradict this - if I
have two lines granting access to different groups, both groups get
access.
So it seems like these are equivalent:
AllowGroups foo bar
AllowGroups foo
AllowGroups bar
Is this behaviour to be expected?
I see the same as you, but I think it's to be expected. There are other
settings like HostKey and AcceptEnv which can be repeated and which are
combined into a list of values.
You can see this if you run /usr/sbin/sshd -T
...
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowgroups redis
allowgroups brian
acceptenv LANG
acceptenv LC_*
...
I get the same whether I use
AllowGroups redis brian
or
AllowGroups redis
AllowGroups brian
Similarly, if I put "AcceptEnv blah" then this is added to the other
AcceptEnv settings - it does not override them (and I don't know how to
empty the list).
I agree that the "For each keyword..." note in the sshd_config manpage
could be misleading for these cases.
Regards,
Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
