Bug 2391 - Enhance AllowGroups documentation in man page
Summary: Enhance AllowGroups documentation in man page
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 6.8p1
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-28 18:49 AEST by Jakub Jelen
Modified: 2015-04-28 18:49 AEST (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2015-04-28 18:49:16 AEST
Our customer got into problems using AllowGroup in combination with AllowUsers, because documentation in this part is little bit unclear.

Original problem is that when you use AllowUsers in combination with AllowGroups, only users who are specified in AllowUsers AND some of their group is in AllowGroups can login.

Minimal test case:
/etc/ssh/sshd_config
>AllowUsers user
>AllowGroups user
user:user can log in

/etc/ssh/sshd_config
>AllowUsers user
>AllowGroups othergroup
user:user can NOT log in

/etc/ssh/sshd_config
>AllowUsers otheruser
>AllowGroups user
user:user can NOT log in


Manual page states:
> ".. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups."
There is not mentioned what happens, if you succeed with User. If the chain continues to Groups tests or not. This should be clear not to confuse users.

In spite of all the other bugs related to similar issue (#2292, #1690) I would say that this should be properly documented. Changes in evaluation can be pretty dangerous.

Customer propose to mention this exact use case:
>If both AllowGroups and AllowUsers are specified, both must succeed before login is allowed.

My proposal is more generic. I would append such a sentence after above mentioned quote:
> All of the user and group tests must succeed, before user is allowed to login.

If I don't miss something, this should explain it little bit better and avoid further confusion.