diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-01-25 22:36:22 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-01-26 10:15:13 +1100 |
commit | bf986a9e2792555e0879a3145fa18d2b49436c74 (patch) | |
tree | 7c882f47638dbc75d2b804317aa49ca0617453db /sshd_config.5 | |
parent | 022ce92fa0daa9d78830baeb2bd2dc3f83c724ba (diff) |
upstream: clarify order of AllowUsers/DenyUsers vs
AllowGroups/DenyGroups; bz1690, ok markus@
OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 26 |
1 files changed, 7 insertions, 19 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 63a7dfdde..d47cb0d24 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,7 +33,7 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.300 2020/01/25 07:09:14 tedu Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.301 2020/01/25 22:36:22 djm Exp $ |
37 | .Dd $Mdocdate: January 25 2020 $ | 37 | .Dd $Mdocdate: January 25 2020 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
@@ -113,11 +113,8 @@ If specified, login is allowed only for users whose primary | |||
113 | group or supplementary group list matches one of the patterns. | 113 | group or supplementary group list matches one of the patterns. |
114 | Only group names are valid; a numerical group ID is not recognized. | 114 | Only group names are valid; a numerical group ID is not recognized. |
115 | By default, login is allowed for all groups. | 115 | By default, login is allowed for all groups. |
116 | The allow/deny directives are processed in the following order: | 116 | The allow/deny groups directives are processed in the following order: |
117 | .Cm DenyUsers , | ||
118 | .Cm AllowUsers , | ||
119 | .Cm DenyGroups , | 117 | .Cm DenyGroups , |
120 | and finally | ||
121 | .Cm AllowGroups . | 118 | .Cm AllowGroups . |
122 | .Pp | 119 | .Pp |
123 | See PATTERNS in | 120 | See PATTERNS in |
@@ -173,12 +170,9 @@ are separately checked, restricting logins to particular | |||
173 | users from particular hosts. | 170 | users from particular hosts. |
174 | HOST criteria may additionally contain addresses to match in CIDR | 171 | HOST criteria may additionally contain addresses to match in CIDR |
175 | address/masklen format. | 172 | address/masklen format. |
176 | The allow/deny directives are processed in the following order: | 173 | The allow/deny users directives are processed in the following order: |
177 | .Cm DenyUsers , | 174 | .Cm DenyUsers , |
178 | .Cm AllowUsers , | 175 | .Cm AllowUsers . |
179 | .Cm DenyGroups , | ||
180 | and finally | ||
181 | .Cm AllowGroups . | ||
182 | .Pp | 176 | .Pp |
183 | See PATTERNS in | 177 | See PATTERNS in |
184 | .Xr ssh_config 5 | 178 | .Xr ssh_config 5 |
@@ -552,11 +546,8 @@ Login is disallowed for users whose primary group or supplementary | |||
552 | group list matches one of the patterns. | 546 | group list matches one of the patterns. |
553 | Only group names are valid; a numerical group ID is not recognized. | 547 | Only group names are valid; a numerical group ID is not recognized. |
554 | By default, login is allowed for all groups. | 548 | By default, login is allowed for all groups. |
555 | The allow/deny directives are processed in the following order: | 549 | The allow/deny groups directives are processed in the following order: |
556 | .Cm DenyUsers , | ||
557 | .Cm AllowUsers , | ||
558 | .Cm DenyGroups , | 550 | .Cm DenyGroups , |
559 | and finally | ||
560 | .Cm AllowGroups . | 551 | .Cm AllowGroups . |
561 | .Pp | 552 | .Pp |
562 | See PATTERNS in | 553 | See PATTERNS in |
@@ -573,12 +564,9 @@ are separately checked, restricting logins to particular | |||
573 | users from particular hosts. | 564 | users from particular hosts. |
574 | HOST criteria may additionally contain addresses to match in CIDR | 565 | HOST criteria may additionally contain addresses to match in CIDR |
575 | address/masklen format. | 566 | address/masklen format. |
576 | The allow/deny directives are processed in the following order: | 567 | The allow/deny users directives are processed in the following order: |
577 | .Cm DenyUsers , | 568 | .Cm DenyUsers , |
578 | .Cm AllowUsers , | 569 | .Cm AllowUsers . |
579 | .Cm DenyGroups , | ||
580 | and finally | ||
581 | .Cm AllowGroups . | ||
582 | .Pp | 570 | .Pp |
583 | See PATTERNS in | 571 | See PATTERNS in |
584 | .Xr ssh_config 5 | 572 | .Xr ssh_config 5 |