On Thu, 2 Mar 2023, Erik Thuning wrote: > Hi! > > I'm experimenting with migrating the custom sshd_config settings for our > (Debian bullseye, openssh-server 8.4) server environment into fragments under > sshd_config.d/, and am wondering about sshd's behaviour when encountering > multiple AllowGroup lines. > > The manual states "For each keyword, the first obtained value will be used.", > so that gives me the impression that any lines after the first should be > ignored. However, my testing seems to contradict this - if I have two lines > granting access to different groups, both groups get access. > > So it seems like these are equivalent: > > > AllowGroups foo bar > > > AllowGroups foo > > AllowGroups bar > > > Is this behaviour to be expected? It could of course also be Debian > introducing special behaviour, but I thought I should check here first. Yeah, sshd_config isn't 100% consistent at implementing first-match-wins and Allow/DenyUsers/Groups is one of the exceptions. That's not excuse for our not documenting this. diff --git a/sshd_config.5 b/sshd_config.5 index 51cf89e..4587f1f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -48,7 +48,7 @@ reads configuration data from .Fl f on the command line). The file contains keyword-argument pairs, one per line. -For each keyword, the first obtained value will be used. +Unless noted otherwise, for each keyword, the first obtained value will be used. Lines starting with .Ql # and empty lines are interpreted as comments. @@ -120,6 +120,9 @@ The allow/deny groups directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm AllowStreamLocalForwarding Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. The available options are @@ -177,6 +180,9 @@ The allow/deny users directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. @@ -630,6 +636,9 @@ The allow/deny groups directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. @@ -648,6 +657,9 @@ The allow/deny users directives are processed in the following order: See PATTERNS in .Xr ssh_config 5 for more information on patterns. +This keyword may appear multiple times in +.Nm +with each instance appending to the list. .It Cm DisableForwarding Disables all forwarding features, including X11, .Xr ssh-agent 1 , _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
