Re: Question regarding allow and deny users

From: James Dennis (
Date: 02/28/03

  • Next message: Kamen Penev: "X forwarding over multiple ssh tunnels?"
    Date: Fri, 28 Feb 2003 09:52:34 -0500
    From: James Dennis <>

    Hello Samaresh,

    > 1. If a user is put in allow user's list, can the same be put in the deny user's list also? If
    > yes, then is the user allowed access by the sshd?

    Bad idea, just don't do it.

    > 2. If a user is not put in both the lists, is he given access rights? Lets say a user is not
    > in the allow user's list, then by default (I guess thinking logically) he should not be given
    > access rights, in that case, why do we have a deny user's list?

    If there are no Allow/Deny directives all access is allowed (the
    default). If you place AllowUsers james in sshd_config, then only james
    is allowed to access the system and everyone else is denied. If you you
    place DenyUsers james, the default of allowing everyone into the system
    is still there, but james is denied.

    See OpenSSH's mailing list archive for information regarding
    questionable behavior of how Allow/Deny Users/Groups behaves. Ben
    Lindstrom was kind enough to fix the behavior for OpenSSH's current
    source and I modified his patch to work for OpenSSH's 3.5 release (I
    just changed line numbers, Ben is still the code wizard).

    Also, for any more confusion, please check the man. This stuff is
    written up pretty clearly in there.

    James Dennis
    Harvard Law School
    "Not everything that counts can be counted,
    and not everything that can be counted counts."