- stevesk@cvs.openbsd.org 2002/01/18 20:46:34

[sshd.8] clarify Allow(Groups|Users) and Deny(Groups|Users); suggestion from allard@oceanpark.com; ok markus@
author: Damien Miller <djm@mindrot.org> 2002-01-22 23:33:45 +1100
committer: Damien Miller <djm@mindrot.org> 2002-01-22 23:33:45 +1100
commit: df64a682f17fc12ca0ae80e6331cbb89b77bd35b (patch)
tree: 7b0fb2c4cb44d743f0f9ced09f34318683ecf18f
parent: 4a8ed543612c99700788d87fe18081d5df4b37c6 (diff)
2 files changed, 16 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index 66f53a25a..3689b1d89 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -207,6 +207,10 @@
   - stevesk@cvs.openbsd.org 2002/01/18 18:14:17
     [authfd.c bufaux.c buffer.c cipher.c packet.c ssh-agent.c ssh-keygen.c]
     unneeded cast cleanup; ok markus@
+   - stevesk@cvs.openbsd.org 2002/01/18 20:46:34
+     [sshd.8]
+     clarify Allow(Groups|Users) and Deny(Groups|Users); suggestion from
+     allard@oceanpark.com; ok markus@
 20020121
 - (djm) Rework ssh-rand-helper:
@@ -7354,4 +7358,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1781 2002/01/22 12:33:31 djm Exp $
+$Id: ChangeLog,v 1.1782 2002/01/22 12:33:45 djm Exp $
diff --git a/sshd.8 b/sshd.8
index 61d88c142..256b2aa57 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.162 2002/01/18 17:14:16 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.163 2002/01/18 20:46:34 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -329,7 +329,7 @@ Specifies whether an AFS token may be forwarded to the server.
 Default is
 .Dq yes .
 .It Cm AllowGroups
-This keyword can be followed by a list of group names, separated
+This keyword can be followed by a list of group name patterns, separated
 by spaces.
 If specified, login is allowed only for users whose primary
 group or supplementary group list matches one of the patterns.
@@ -339,7 +339,7 @@ and
 can be used as
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
-By default login is allowed regardless of the group list.
+By default, login is allowed for all groups.
 .Pp
 .It Cm AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.
@@ -350,7 +350,7 @@ users are also denied shell access, as they can always install their
 own forwarders.
 .Pp
 .It Cm AllowUsers
-This keyword can be followed by a list of user names, separated
+This keyword can be followed by a list of user name patterns, separated
 by spaces.
 If specified, login is allowed only for users names that
 match one of the patterns.
@@ -360,7 +360,7 @@ and
 can be used as
 wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
-By default login is allowed regardless of the user name.
+By default, login is allowed for all users.
 If the pattern takes the form USER@HOST then USER and HOST
 are separately checked, restricting logins to particular
 users from particular hosts.
@@ -435,20 +435,20 @@ The default value is 3. If
 is left at the default, unresponsive ssh clients
 will be disconnected after approximately 45 seconds.
 .It Cm DenyGroups
-This keyword can be followed by a number of group names, separated
+This keyword can be followed by a list of group name patterns, separated
 by spaces.
-Users whose primary group or supplementary group list matches
+Login is disallowed for users whose primary group or supplementary
-one of the patterns aren't allowed to log in.
+group list matches one of the patterns.
 .Ql \&*
 and
 .Ql ?
 can be used as
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
-By default login is allowed regardless of the group list.
+By default, login is allowed for all groups.
 .Pp
 .It Cm DenyUsers
-This keyword can be followed by a number of user names, separated
+This keyword can be followed by a list of user name patterns, separated
 by spaces.
 Login is disallowed for user names that match one of the patterns.
 .Ql \&*
@@ -456,7 +456,7 @@ and
 .Ql ?
 can be used as wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
-By default login is allowed regardless of the user name.
+By default, login is allowed for all users.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
author	Damien Miller <djm@mindrot.org>	2002-01-22 23:33:45 +1100
committer	Damien Miller <djm@mindrot.org>	2002-01-22 23:33:45 +1100
commit	df64a682f17fc12ca0ae80e6331cbb89b77bd35b (patch)
tree	7b0fb2c4cb44d743f0f9ced09f34318683ecf18f
parent	4a8ed543612c99700788d87fe18081d5df4b37c6 (diff)

diff --git a/ChangeLog b/ChangeLog index 66f53a25a..3689b1d89 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -207,6 +207,10 @@
207	- stevesk@cvs.openbsd.org 2002/01/18 18:14:17	207	- stevesk@cvs.openbsd.org 2002/01/18 18:14:17
208	[authfd.c bufaux.c buffer.c cipher.c packet.c ssh-agent.c ssh-keygen.c]	208	[authfd.c bufaux.c buffer.c cipher.c packet.c ssh-agent.c ssh-keygen.c]
209	unneeded cast cleanup; ok markus@	209	unneeded cast cleanup; ok markus@
		210	- stevesk@cvs.openbsd.org 2002/01/18 20:46:34
		211	[sshd.8]
		212	clarify Allow(Groups\|Users) and Deny(Groups\|Users); suggestion from
		213	allard@oceanpark.com; ok markus@
210		214
211	20020121	215	20020121
212	- (djm) Rework ssh-rand-helper:	216	- (djm) Rework ssh-rand-helper:
@@ -7354,4 +7358,4 @@
7354	- Wrote replacements for strlcpy and mkdtemp	7358	- Wrote replacements for strlcpy and mkdtemp
7355	- Released 1.0pre1	7359	- Released 1.0pre1
7356		7360
7357	$Id: ChangeLog,v 1.1781 2002/01/22 12:33:31 djm Exp $	7361	$Id: ChangeLog,v 1.1782 2002/01/22 12:33:45 djm Exp $


diff --git a/sshd.8 b/sshd.8 index 61d88c142..256b2aa57 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.162 2002/01/18 17:14:16 stevesk Exp $	37	.\" $OpenBSD: sshd.8,v 1.163 2002/01/18 20:46:34 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -329,7 +329,7 @@ Specifies whether an AFS token may be forwarded to the server.
329	Default is	329	Default is
330	.Dq yes .	330	.Dq yes .
331	.It Cm AllowGroups	331	.It Cm AllowGroups
332	This keyword can be followed by a list of group names, separated	332	This keyword can be followed by a list of group name patterns, separated
333	by spaces.	333	by spaces.
334	If specified, login is allowed only for users whose primary	334	If specified, login is allowed only for users whose primary
335	group or supplementary group list matches one of the patterns.	335	group or supplementary group list matches one of the patterns.
@@ -339,7 +339,7 @@ and
339	can be used as	339	can be used as
340	wildcards in the patterns.	340	wildcards in the patterns.
341	Only group names are valid; a numerical group ID is not recognized.	341	Only group names are valid; a numerical group ID is not recognized.
342	By default login is allowed regardless of the group list.	342	By default, login is allowed for all groups.
343	.Pp	343	.Pp
344	.It Cm AllowTcpForwarding	344	.It Cm AllowTcpForwarding
345	Specifies whether TCP forwarding is permitted.	345	Specifies whether TCP forwarding is permitted.
@@ -350,7 +350,7 @@ users are also denied shell access, as they can always install their
350	own forwarders.	350	own forwarders.
351	.Pp	351	.Pp
352	.It Cm AllowUsers	352	.It Cm AllowUsers
353	This keyword can be followed by a list of user names, separated	353	This keyword can be followed by a list of user name patterns, separated
354	by spaces.	354	by spaces.
355	If specified, login is allowed only for users names that	355	If specified, login is allowed only for users names that
356	match one of the patterns.	356	match one of the patterns.
@@ -360,7 +360,7 @@ and
360	can be used as	360	can be used as
361	wildcards in the patterns.	361	wildcards in the patterns.
362	Only user names are valid; a numerical user ID is not recognized.	362	Only user names are valid; a numerical user ID is not recognized.
363	By default login is allowed regardless of the user name.	363	By default, login is allowed for all users.
364	If the pattern takes the form USER@HOST then USER and HOST	364	If the pattern takes the form USER@HOST then USER and HOST
365	are separately checked, restricting logins to particular	365	are separately checked, restricting logins to particular
366	users from particular hosts.	366	users from particular hosts.
@@ -435,20 +435,20 @@ The default value is 3. If
435	is left at the default, unresponsive ssh clients	435	is left at the default, unresponsive ssh clients
436	will be disconnected after approximately 45 seconds.	436	will be disconnected after approximately 45 seconds.
437	.It Cm DenyGroups	437	.It Cm DenyGroups
438	This keyword can be followed by a number of group names, separated	438	This keyword can be followed by a list of group name patterns, separated
439	by spaces.	439	by spaces.
440	Users whose primary group or supplementary group list matches	440	Login is disallowed for users whose primary group or supplementary
441	one of the patterns aren't allowed to log in.	441	group list matches one of the patterns.
442	.Ql \&*	442	.Ql \&*
443	and	443	and
444	.Ql ?	444	.Ql ?
445	can be used as	445	can be used as
446	wildcards in the patterns.	446	wildcards in the patterns.
447	Only group names are valid; a numerical group ID is not recognized.	447	Only group names are valid; a numerical group ID is not recognized.
448	By default login is allowed regardless of the group list.	448	By default, login is allowed for all groups.
449	.Pp	449	.Pp
450	.It Cm DenyUsers	450	.It Cm DenyUsers
451	This keyword can be followed by a number of user names, separated	451	This keyword can be followed by a list of user name patterns, separated
452	by spaces.	452	by spaces.
453	Login is disallowed for user names that match one of the patterns.	453	Login is disallowed for user names that match one of the patterns.
454	.Ql \&*	454	.Ql \&*
@@ -456,7 +456,7 @@ and
456	.Ql ?	456	.Ql ?
457	can be used as wildcards in the patterns.	457	can be used as wildcards in the patterns.
458	Only user names are valid; a numerical user ID is not recognized.	458	Only user names are valid; a numerical user ID is not recognized.
459	By default login is allowed regardless of the user name.	459	By default, login is allowed for all users.
460	.It Cm GatewayPorts	460	.It Cm GatewayPorts
461	Specifies whether remote hosts are allowed to connect to ports	461	Specifies whether remote hosts are allowed to connect to ports
462	forwarded for the client.	462	forwarded for the client.