• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

sshd_config DenyUsers and AllowUsers have no effect

nforced

Member

Thanks: 7
Messages: 85

#1
I have a little frustration here, I can't restrict logins to sshd.

I got these two lines at the end of my /etc/ssh/sshd_config file
Code:
DenyUsers baduser
AllowUsers remote
I did service sshd reload (and restart) with no effect, any user on the system can login including baduser which should be explicitly denied...

Any suggestions?
 

nforced

Member

Thanks: 7
Messages: 85

#2
Silly me!

Code:
Match Group sftponly
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

DenyUsers baduser
AllowUsers remote
Match blocks must be at the bottom of the config file or as in my case anything appended after the match block will be considered part of the match...
So DenyUsers and AllowUsers were only applied to users part of the sftponly group - not what I wanted!

There is one other trick that can be done here if one is still willing to put global directives after Match block
Code:
Match All
       DenyUsers baduser
       AllowUsers remote
 
Last edited: