diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-01-25 23:36:22 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-01-26 00:15:13 +0100 |
| commit | bf986a9e2792555e0879a3145fa18d2b49436c74 (patch) | |
| tree | 7c882f47638dbc75d2b804317aa49ca0617453db /sshd_config.5 | |
| parent | upstream: when AddKeysToAgent=yes is set and the key contains no (diff) | |
| download | openssh-bf986a9e2792555e0879a3145fa18d2b49436c74.tar.xz openssh-bf986a9e2792555e0879a3145fa18d2b49436c74.zip | |
upstream: clarify order of AllowUsers/DenyUsers vs
AllowGroups/DenyGroups; bz1690, ok markus@
OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd
Diffstat (limited to '')
| -rw-r--r-- | sshd_config.5 | 26 |
1 files changed, 7 insertions, 19 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 63a7dfdde..d47cb0d24 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.300 2020/01/25 07:09:14 tedu Exp $ +.\" $OpenBSD: sshd_config.5,v 1.301 2020/01/25 22:36:22 djm Exp $ .Dd $Mdocdate: January 25 2020 $ .Dt SSHD_CONFIG 5 .Os @@ -113,11 +113,8 @@ If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -The allow/deny directives are processed in the following order: -.Cm DenyUsers , -.Cm AllowUsers , +The allow/deny groups directives are processed in the following order: .Cm DenyGroups , -and finally .Cm AllowGroups . .Pp See PATTERNS in @@ -173,12 +170,9 @@ are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. -The allow/deny directives are processed in the following order: +The allow/deny users directives are processed in the following order: .Cm DenyUsers , -.Cm AllowUsers , -.Cm DenyGroups , -and finally -.Cm AllowGroups . +.Cm AllowUsers . .Pp See PATTERNS in .Xr ssh_config 5 @@ -552,11 +546,8 @@ Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -The allow/deny directives are processed in the following order: -.Cm DenyUsers , -.Cm AllowUsers , +The allow/deny groups directives are processed in the following order: .Cm DenyGroups , -and finally .Cm AllowGroups . .Pp See PATTERNS in @@ -573,12 +564,9 @@ are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. -The allow/deny directives are processed in the following order: +The allow/deny users directives are processed in the following order: .Cm DenyUsers , -.Cm AllowUsers , -.Cm DenyGroups , -and finally -.Cm AllowGroups . +.Cm AllowUsers . .Pp See PATTERNS in .Xr ssh_config 5 |