Ssh – How to use both AllowGroups and AllowUsers in sshd_config

debianssh

I'm trying to modify /etc/ssh/sshd_config on my dedicated debian7 server with both AllowUsers and AllowGroups. However I can't seem get both to work together.

The Setup

  • There's a user called testuser.

  • That user is in a group called ssh-users: 

    $ groups testuser
testuser : testuser ssh-users

  • testuser is trying to connect via ssh testuser@<server_ip> and entering their password.

  • My sshd_config can be found here: http://pastebin.com/iZvVDFKL – I think basically the only changes I made from default was:
    • to set PermitRootLogin no
    • and add two users with AllowUsers (actual usernames differ on my server)
  • service ssh restart is run each time after modifying sshd_config.

The Problem

  • testuser can connect when set with AllowUsers:

    AllowUsers user1 user2 testuser

  • testuser can NOT connect when setting AllowGroups for its group:

    AllowUsers user1 user2
AllowGroups ssh-users

    which results in Permission denied, please try again. when testuser enters their password in the ssh password prompt.

The Question

  • Does AllowUsers override AllowGroups?
  • What's the best way to fix this without manually adding the username to AllowUsers? Ideally I'd like to be able to just add users to the ssh-users group in the future without having to touch sshd_config again.

Best Answer

Yes, AllowUsers takes precedent over AllowGroups. If specified, only the users that match the pattern specified in AllowUsers may connect to the SSHD instance.

According to sshd_config manpage:

The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

So, the solution to your problem is probably to use one or the other, possibly the group access directives if groups are your preferred way to manage users.

Related Topic