From: millert@openbsd.org Date: Thu, 22 Jan 2026 15:30:07 +0000 (+0000) Subject: upstream: Make it clear that DenyUsers/DenyGroups overrides X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=409dc952ab88b5232e809e34fd55662c6f75ad81;p=thirdparty%2Fopenssh-portable.git upstream: Make it clear that DenyUsers/DenyGroups overrides AllowUsers/AllowGroups. Previously we specified the order in which the directives are processed but it was ambiguous as to what happened if both matched. OK djm@ OpenBSD-Commit-ID: 6ae0ab52ff796b78486b92a45cd7ec9310e20f4e --- diff --git a/sshd_config.5 b/sshd_config.5 index 8a51582a5..80cb2cecb 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.392 2025/12/18 23:54:10 jsg Exp $ -.Dd $Mdocdate: December 18 2025 $ +.\" $OpenBSD: sshd_config.5,v 1.393 2026/01/22 15:30:07 millert Exp $ +.Dd $Mdocdate: January 22 2026 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -113,9 +113,9 @@ If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -The allow/deny groups directives are processed in the following order: -.Cm DenyGroups , -.Cm AllowGroups . +.Cm AllowGroups +is not consulted for groups matched by +.Cm DenyGroups . .Pp See PATTERNS in .Xr ssh_config 5 @@ -173,9 +173,9 @@ are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. -The allow/deny users directives are processed in the following order: -.Cm DenyUsers , -.Cm AllowUsers . +.Cm AllowUsers +is not consulted for users matched by +.Cm DenyUsers . .Pp See PATTERNS in .Xr ssh_config 5 @@ -636,9 +636,9 @@ Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -The allow/deny groups directives are processed in the following order: -.Cm DenyGroups , -.Cm AllowGroups . +.Cm AllowGroups +is not consulted for groups matched by +.Cm DenyGroups . .Pp See PATTERNS in .Xr ssh_config 5 @@ -657,9 +657,9 @@ are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. -The allow/deny users directives are processed in the following order: -.Cm DenyUsers , -.Cm AllowUsers . +.Cm AllowUsers +is not consulted for users matched by +.Cm DenyUsers . .Pp See PATTERNS in .Xr ssh_config 5