How to use both AllowGroups and AllowUsers in sshd_config?

ssh debian

I'm trying to modify /etc/ssh/sshd_config on my dedicated debian7 server with both AllowUsers and AllowGroups. However I can't seem get both to work together.

The Setup

  • There's a user called testuser.

  • That user is in a group called ssh-users: 

    $ groups testuser
testuser : testuser ssh-users

  • testuser is trying to connect via ssh testuser@<server_ip> and entering their password.

  • My sshd_config can be found here: http://pastebin.com/iZvVDFKL - I think basically the only changes I made from default was:
    • to set PermitRootLogin no
    • and add two users with AllowUsers (actual usernames differ on my server)
  • service ssh restart is run each time after modifying sshd_config.

The Problem

  • testuser can connect when set with AllowUsers:

    AllowUsers user1 user2 testuser

  • testuser can NOT connect when setting AllowGroups for its group:

    AllowUsers user1 user2
AllowGroups ssh-users

    which results in Permission denied, please try again. when testuser enters their password in the ssh password prompt.

The Question

  • Does AllowUsers override AllowGroups?
  • What's the best way to fix this without manually adding the username to AllowUsers? Ideally I'd like to be able to just add users to the ssh-users group in the future without having to touch sshd_config again.

Yes, AllowUsers takes precedent over AllowGroups. If specified, only the users that match the pattern specified in AllowUsers may connect to the SSHD instance.

According to sshd_config manpage:

The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

So, the solution to your problem is probably to use one or the other, possibly the group access directives if groups are your preferred way to manage users.


Here is a solution we have found working:

AllowUsers user1 user2
Match group ssh-users
    AllowUsers *

Jeff's answer covers the specifics of the question as detailed, but I found this question looking to use AllowUsers and AllowGroups in a slightly different scenario. I wanted to restrict incoming connections to users in a group (ssh) coming from specific subnets.

The connection rules in sshd_config are a filter - as each additional rule is applied, the set of acceptable users can only be reduced. PATTERNS in ssh_config(5) explain the form of those rules.

Additionally, according to the AllowUsers section of sshd_config:

If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format.

AllowGroups doesn't accept the USER@HOST form.

So, to accept users 1) in the ssh group and 2) from specific subnets/hosts:

AllowUsers *@192.168.1.0/24 *@*.example.com *@1.2.3.4
AllowGroups ssh

I did a test on RedHat 8.1. It seems that it's more complicated.

AllowUsers user1 user2
AllowGroups ssh-users

If user1 and user2 is not in ssh-users group, then

  1. user1 or user2 can NOT ssh login.
  2. users in ssh-users group can NOT ssh login either!

The thing is if both AllowUsers and AllowGroups are used, then only the intersection of them is able to ssh login. It's kind of weird but actually make sense.

Related

"No command specified" from re-imported docker image/container
Should I install Windows Management Framework 3.0?
Is there such a thing as a 'quick' format for ext4?
How to view status of software RAID 1 resynching?
How to get robocopy running in powershell?
Execute script from rc.local as user instead of root
Does adjusting a domain name's TTL actually matter?
Network printer exploited (read: hacked) to print antisemitic documents. How to fix?
What the meaning of "policy ACCEPT" and "policy DROP" in iptables?
How to stream live video from a linux server?
Vagrant set default share permissions
Differences between bridged and NAT networking