Sshd_config AllowUsers Syntax Wrong In Documentation

Home » CentOS » Sshd_config AllowUsers Syntax Wrong In Documentation
CentOS 2 Comments

It seems the syntax for AllowUsers in sshd_config is not the same that is given in man sshd_config and in several documentation on the web.
(http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config)

e.g.

AllowUsers root

does work.

AllowUsers root username

does not work.

If I try to login as root I get “User root from not allowed because not listed in AllowUsers”. I tried separating by comma (just in case) which fails as well.

man page mentions checking against hosts only if you use a root@hostname pattern there.

AllowUser root@* username

works for me (with root, didin’t check the username), but this should not be necessary according to documentation. If “root” is allowed as a “pattern” it doesn’t matter if there are more
“patterns” coming or not.

It seems that as soon as two names are listed it’s read as one user (“root username”), e.g. it does not use the whitespace as a terminator.

UsePAM=no , in case that makes a difference. CentOS 5.9, standard OpenSSH.

I’ve noticed this discrepancy already in the past, but didn’t investigate. I also think that this syntax contradicts what man ssh_config says about pattern lists, because for pattern-lists (which I understand is a list of patterns for one directive) SSH wants a comma-separated list. http://www.openssh.com/cgi-bin/man.cgi?query=ssh_config
(man sshd_config says to look in ssh_config for pattern syntax.)

I think this is a serious bug as it can lock you out very quickly while you want to secure your machine (once you want to have more than one user).

Do you share the same opinion or am I doing something wrong and it works like advertised?

Kai

2 thoughts on - Sshd_config AllowUsers Syntax Wrong In Documentation

  • Reindl Harald wrote on Thu, 26 Jun 2014 13:04:21 +0200:

    Don’t say it’s “not true”. ;-) I tried it at least half an hour with all possible combinations and only the user@* pattern worked. I made absolutely sure that I restarted the SSH server each time. I know also pretty well, that I had the same problem at least once some time ago, but didn’t investigate then. As soon as I add a second user and restart the server I get the error I mentioned earlier.

    I’ve re-checked now after changing some of the config to yours and it works without the host part. I removed the changes and it is still working. I’m a bit puzzled. If I hadn’t been sure before I wouldn’t have posted.

    The only settings that were different from yours were:
    just PermitRootLogin yes

    but, as said, no change there, back and fro, makes a difference, it works with your and with mine settings.

    not set at all not set at all

    So, whatever, it works now as it should. Thanks, anyway.

    Kai

  • IIRC, I had encountered similar issue on a Debian box but did not investigate much.

    Instead, I went with the “AllowGroups” option e.g. AllowGroups admins

    and add users to the group. Only members of the group can login with ssh.

    HTH,
    — Arun Khan