2 files changed, 30 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 9f07c8cf4..bdfb7520b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -182,6 +182,10 @@
     [ssh_config.5]
     document the possible values for KbdInteractiveDevices;
     help/ok dtucker
+   - jmc@cvs.openbsd.org 2006/02/25 12:28:34
+     [sshd_config.5]
+     document the order in which allow/deny directives are processed;
+     help/ok dtucker
 20060313
 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -4083,4 +4087,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4192 2006/03/15 00:58:25 djm Exp $
+$Id: ChangeLog,v 1.4193 2006/03/15 00:58:49 djm Exp $
diff --git a/sshd_config.5 b/sshd_config.5
index 8c714444b..2fc2d057e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.53 2006/02/24 23:51:17 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.54 2006/02/25 12:28:34 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -101,6 +101,12 @@ If specified, login is allowed only for users whose primary
 group or supplementary group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
 .Pp
 See
 .Sx PATTERNS
@@ -124,6 +130,12 @@ By default, login is allowed for all users.
 If the pattern takes the form USER@HOST then USER and HOST
 are separately checked, restricting logins to particular
 users from particular hosts.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
 .Pp
 See
 .Sx PATTERNS
@@ -234,6 +246,12 @@ Login is disallowed for users whose primary group or supplementary
 group list matches one of the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
 .Pp
 See
 .Sx PATTERNS
@@ -249,6 +267,12 @@ By default, login is allowed for all users.
 If the pattern takes the form USER@HOST then USER and HOST
 are separately checked, restricting logins to particular
 users from particular hosts.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
 .Pp
 See
 .Sx PATTERNS

diff --git a/ChangeLog b/ChangeLog index 9f07c8cf4..bdfb7520b 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -182,6 +182,10 @@
182	[ssh_config.5]	182	[ssh_config.5]
183	document the possible values for KbdInteractiveDevices;	183	document the possible values for KbdInteractiveDevices;
184	help/ok dtucker	184	help/ok dtucker
		185	- jmc@cvs.openbsd.org 2006/02/25 12:28:34
		186	[sshd_config.5]
		187	document the order in which allow/deny directives are processed;
		188	help/ok dtucker
185		189
186	20060313	190	20060313
187	- (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)	191	- (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -4083,4 +4087,4 @@
4083	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	4087	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
4084	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	4088	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4085		4089
4086	$Id: ChangeLog,v 1.4192 2006/03/15 00:58:25 djm Exp $	4090	$Id: ChangeLog,v 1.4193 2006/03/15 00:58:49 djm Exp $


diff --git a/sshd_config.5 b/sshd_config.5 index 8c714444b..2fc2d057e 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.53 2006/02/24 23:51:17 jmc Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.54 2006/02/25 12:28:34 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
@@ -101,6 +101,12 @@ If specified, login is allowed only for users whose primary
101	group or supplementary group list matches one of the patterns.	101	group or supplementary group list matches one of the patterns.
102	Only group names are valid; a numerical group ID is not recognized.	102	Only group names are valid; a numerical group ID is not recognized.
103	By default, login is allowed for all groups.	103	By default, login is allowed for all groups.
		104	The allow/deny directives are processed in the following order:
		105	.Cm DenyUsers ,
		106	.Cm AllowUsers ,
		107	.Cm DenyGroups ,
		108	and finally
		109	.Cm AllowGroups .
104	.Pp	110	.Pp
105	See	111	See
106	.Sx PATTERNS	112	.Sx PATTERNS
@@ -124,6 +130,12 @@ By default, login is allowed for all users.
124	If the pattern takes the form USER@HOST then USER and HOST	130	If the pattern takes the form USER@HOST then USER and HOST
125	are separately checked, restricting logins to particular	131	are separately checked, restricting logins to particular
126	users from particular hosts.	132	users from particular hosts.
		133	The allow/deny directives are processed in the following order:
		134	.Cm DenyUsers ,
		135	.Cm AllowUsers ,
		136	.Cm DenyGroups ,
		137	and finally
		138	.Cm AllowGroups .
127	.Pp	139	.Pp
128	See	140	See
129	.Sx PATTERNS	141	.Sx PATTERNS
@@ -234,6 +246,12 @@ Login is disallowed for users whose primary group or supplementary
234	group list matches one of the patterns.	246	group list matches one of the patterns.
235	Only group names are valid; a numerical group ID is not recognized.	247	Only group names are valid; a numerical group ID is not recognized.
236	By default, login is allowed for all groups.	248	By default, login is allowed for all groups.
		249	The allow/deny directives are processed in the following order:
		250	.Cm DenyUsers ,
		251	.Cm AllowUsers ,
		252	.Cm DenyGroups ,
		253	and finally
		254	.Cm AllowGroups .
237	.Pp	255	.Pp
238	See	256	See
239	.Sx PATTERNS	257	.Sx PATTERNS
@@ -249,6 +267,12 @@ By default, login is allowed for all users.
249	If the pattern takes the form USER@HOST then USER and HOST	267	If the pattern takes the form USER@HOST then USER and HOST
250	are separately checked, restricting logins to particular	268	are separately checked, restricting logins to particular
251	users from particular hosts.	269	users from particular hosts.
		270	The allow/deny directives are processed in the following order:
		271	.Cm DenyUsers ,
		272	.Cm AllowUsers ,
		273	.Cm DenyGroups ,
		274	and finally
		275	.Cm AllowGroups .
252	.Pp	276	.Pp
253	See	277	See
254	.Sx PATTERNS	278	.Sx PATTERNS