upstream: clarify order of AllowUsers/DenyUsers vs

AllowGroups/DenyGroups; bz1690, ok markus@ OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd
author: djm@openbsd.org <djm@openbsd.org> 2020-01-25 22:36:22 +0000
committer: Damien Miller <djm@mindrot.org> 2020-01-26 10:15:13 +1100
commit: bf986a9e2792555e0879a3145fa18d2b49436c74 (patch)
tree: 7c882f47638dbc75d2b804317aa49ca0617453db /sshd_config.5
parent: 022ce92fa0daa9d78830baeb2bd2dc3f83c724ba (diff)
1 files changed, 7 insertions, 19 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 63a7dfdde..d47cb0d24 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.300 2020/01/25 07:09:14 tedu Exp $
+.\" $OpenBSD: sshd_config.5,v 1.301 2020/01/25 22:36:22 djm Exp $
 .Dd $Mdocdate: January 25 2020 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -113,11 +113,8 @@ If specified, login is allowed only for users whose primary
 group or supplementary group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
+The allow/deny groups directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
 .Cm DenyGroups ,
-and finally
 .Cm AllowGroups .
 .Pp
 See PATTERNS in
@@ -173,12 +170,9 @@ are separately checked, restricting logins to particular
 users from particular hosts.
 HOST criteria may additionally contain addresses to match in CIDR
 address/masklen format.
-The allow/deny directives are processed in the following order:
+The allow/deny users directives are processed in the following order:
 .Cm DenyUsers ,
-.Cm AllowUsers ,
+.Cm AllowUsers .
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5
@@ -552,11 +546,8 @@ Login is disallowed for users whose primary group or supplementary
 group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
+The allow/deny groups directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
 .Cm DenyGroups ,
-and finally
 .Cm AllowGroups .
 .Pp
 See PATTERNS in
@@ -573,12 +564,9 @@ are separately checked, restricting logins to particular
 users from particular hosts.
 HOST criteria may additionally contain addresses to match in CIDR
 address/masklen format.
-The allow/deny directives are processed in the following order:
+The allow/deny users directives are processed in the following order:
 .Cm DenyUsers ,
-.Cm AllowUsers ,
+.Cm AllowUsers .
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
 .Pp
 See PATTERNS in
 .Xr ssh_config 5
author	djm@openbsd.org <djm@openbsd.org>	2020-01-25 22:36:22 +0000
committer	Damien Miller <djm@mindrot.org>	2020-01-26 10:15:13 +1100
commit	bf986a9e2792555e0879a3145fa18d2b49436c74 (patch)
tree	7c882f47638dbc75d2b804317aa49ca0617453db /sshd_config.5
parent	022ce92fa0daa9d78830baeb2bd2dc3f83c724ba (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 63a7dfdde..d47cb0d24 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,7 +33,7 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.300 2020/01/25 07:09:14 tedu Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.301 2020/01/25 22:36:22 djm Exp $
37	.Dd $Mdocdate: January 25 2020 $	37	.Dd $Mdocdate: January 25 2020 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
@@ -113,11 +113,8 @@ If specified, login is allowed only for users whose primary
113	group or supplementary group list matches one of the patterns.	113	group or supplementary group list matches one of the patterns.
114	Only group names are valid; a numerical group ID is not recognized.	114	Only group names are valid; a numerical group ID is not recognized.
115	By default, login is allowed for all groups.	115	By default, login is allowed for all groups.
116	The allow/deny directives are processed in the following order:	116	The allow/deny groups directives are processed in the following order:
117	.Cm DenyUsers ,
118	.Cm AllowUsers ,
119	.Cm DenyGroups ,	117	.Cm DenyGroups ,
120	and finally
121	.Cm AllowGroups .	118	.Cm AllowGroups .
122	.Pp	119	.Pp
123	See PATTERNS in	120	See PATTERNS in
@@ -173,12 +170,9 @@ are separately checked, restricting logins to particular
173	users from particular hosts.	170	users from particular hosts.
174	HOST criteria may additionally contain addresses to match in CIDR	171	HOST criteria may additionally contain addresses to match in CIDR
175	address/masklen format.	172	address/masklen format.
176	The allow/deny directives are processed in the following order:	173	The allow/deny users directives are processed in the following order:
177	.Cm DenyUsers ,	174	.Cm DenyUsers ,
178	.Cm AllowUsers ,	175	.Cm AllowUsers .
179	.Cm DenyGroups ,
180	and finally
181	.Cm AllowGroups .
182	.Pp	176	.Pp
183	See PATTERNS in	177	See PATTERNS in
184	.Xr ssh_config 5	178	.Xr ssh_config 5
@@ -552,11 +546,8 @@ Login is disallowed for users whose primary group or supplementary
552	group list matches one of the patterns.	546	group list matches one of the patterns.
553	Only group names are valid; a numerical group ID is not recognized.	547	Only group names are valid; a numerical group ID is not recognized.
554	By default, login is allowed for all groups.	548	By default, login is allowed for all groups.
555	The allow/deny directives are processed in the following order:	549	The allow/deny groups directives are processed in the following order:
556	.Cm DenyUsers ,
557	.Cm AllowUsers ,
558	.Cm DenyGroups ,	550	.Cm DenyGroups ,
559	and finally
560	.Cm AllowGroups .	551	.Cm AllowGroups .
561	.Pp	552	.Pp
562	See PATTERNS in	553	See PATTERNS in
@@ -573,12 +564,9 @@ are separately checked, restricting logins to particular
573	users from particular hosts.	564	users from particular hosts.
574	HOST criteria may additionally contain addresses to match in CIDR	565	HOST criteria may additionally contain addresses to match in CIDR
575	address/masklen format.	566	address/masklen format.
576	The allow/deny directives are processed in the following order:	567	The allow/deny users directives are processed in the following order:
577	.Cm DenyUsers ,	568	.Cm DenyUsers ,
578	.Cm AllowUsers ,	569	.Cm AllowUsers .
579	.Cm DenyGroups ,
580	and finally
581	.Cm AllowGroups .
582	.Pp	570	.Pp
583	See PATTERNS in	571	See PATTERNS in
584	.Xr ssh_config 5	572	.Xr ssh_config 5