I'm trying to modify /etc/ssh/sshd_config
on my dedicated debian7 server with both AllowUsers
and AllowGroups
. However I can't seem get both to work together.
The Setup
- There's a user called
testuser
. -
That user is in a group called
ssh-users
:$ groups testuser testuser : testuser ssh-users
-
testuser
is trying to connect viassh testuser@<server_ip>
and entering their password. - My
sshd_config
can be found here: http://pastebin.com/iZvVDFKL – I think basically the only changes I made from default was:- to set
PermitRootLogin no
- and add two users with
AllowUsers
(actual usernames differ on my server)
- to set
service ssh restart
is run each time after modifyingsshd_config
.
The Problem
-
testuser
can connect when set withAllowUsers
:AllowUsers user1 user2 testuser
-
testuser
can NOT connect when settingAllowGroups
for its group:AllowUsers user1 user2 AllowGroups ssh-users
which results in
Permission denied, please try again.
whentestuser
enters their password in the ssh password prompt.
The Question
- Does
AllowUsers
overrideAllowGroups
? - What's the best way to fix this without manually adding the username to
AllowUsers
? Ideally I'd like to be able to just add users to thessh-users
group in the future without having to touchsshd_config
again.
Best Answer
Yes,
AllowUsers
takes precedent overAllowGroups
. If specified, only the users that match the pattern specified inAllowUsers
may connect to the SSHD instance.According to
sshd_config
manpage:So, the solution to your problem is probably to use one or the other, possibly the group access directives if groups are your preferred way to manage users.