sshd_config AllowUsers

sshd
user1967720 picture user1967720 · Feb 7, 2013 · Viewed 61.9k times · Source

I'm trying a very specific configuration for the AllowUsers directive that follows the logic below:

  • Allow user1 to ssh from host1
  • Deny user1 to ssh from any other host
  • Allow all other users from any host

I've tried the following:

AllowUsers user1@host1 user1@!* *@*

Unfortunately, when ever the @ is present, it negates the previous parameters and no matter what the order is.

I have two questions; is there an order to which the parameters within the AllowUsers directive are executed and is the logic above even possible?

Answer

keypress picture keypress · Nov 24, 2016

sshd_config man says that the order of processing is:

The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

So if the "user1" also has its own group "user1" you can use this configuration:

AllowUsers *@host1
DenyGroups user1
AllowGroups *

Another option is to use negation:

DenyUsers user1@!host1
AllowUsers *@*

Related questions

ssh connection refused on Raspberry Pi

I realize this question has already been asked in some different ways, however it doesn't seem like any of the ways I've come across have worked to fix this problem, so here it goes: I'm trying to connect to my …

Read More
Linux how to start "sftp-server"?

I'm not very familiar with it but there is installed openssh/sftp-server (by a vendor before) on RHEL and it was well running before i reboot the server. Then when i check after rebooted: # ps aux | grep ftp No sftp …

Read More
Create a SFTP user to access only one directory.

I need to create a user which can only SFTP to specific directory and take a copy of some infomation. that is it. I keep looking online and they bring up information about chroot and modifying the the sshd_config. …

Read More