I'm trying a very specific configuration for the AllowUsers directive that follows the logic below:
I've tried the following:
AllowUsers user1@host1 user1@!* *@*
Unfortunately, when ever the @ is present, it negates the previous parameters and no matter what the order is.
I have two questions; is there an order to which the parameters within the AllowUsers directive are executed and is the logic above even possible?
sshd_config man says that the order of processing is:
The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
So if the "user1" also has its own group "user1" you can use this configuration:
AllowUsers *@host1
DenyGroups user1
AllowGroups *
Another option is to use negation:
DenyUsers user1@!host1
AllowUsers *@*