Multiple AllowUsers entry in sshd_Config?

Latest response

Can we have Multiple AllowUsers entry in sshd_Config?

It seems to be working on few and not on few hosts. What's the official way to do it.

Responses

Hi Lokanadhan,

Ideally it should work. As per the man page of 'sshd_config'......

AllowUsers

             This keyword can be followed by a list of user name patterns, separated by spaces.  If
             specified, login is allowed only for user names that match one of the patterns.  Only user
             names are valid; a numerical user ID is not recognized.  By default, login is allowed for
             all users.  If the pattern takes the form USER@HOST then USER and HOST are separately
             checked, restricting logins to particular users from particular hosts.  HOST criteria may
             additionally contain addresses to match in CIDR address/masklen format.  The allow/deny
             directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and
             finally AllowGroups.  All of the specified user and group tests must succeed, before user
             is allowed to log in.

So, if there is a 'denyusers' defined then it would take precedence and also take a note of the 'denygroups' as well. There is nothing defined which limits in declaring multiple 'AllowUsers' parameter in '/etc/ssh/sshd_config' file. Each 'AllowUsers' lines would be parsed one by one and any users not found in those list would be denied access. You may validate allowusers list by running the command '# sshd -T|grep allowusers '. If there is still a concern, please write back with more details, and version of RHEL and SSH being used.

That's what i thought too. But my engineering team believes otherwise. On a server they were not able to login, because of multiple entries. ( not sure how that happened ).

I've asked them to validate on few other servers and confirm. I just wanted to know your thoughts on this, since i couldn't find anything official.

I'll wait for my team to validate and get back. Will update here with the results.

Can you share your entries from sshd_config to see how you have done .

Will do, if my engineering team finds issues on more servers.

The AllowUsers keyword can appear only once in sshd_config but it can list multiple user IDs on that line. If there are multiple lines with AllowUsers on it, then only entries on the last AllowUsers line would be permitted to login. If you need a large number of IDs to be allowed access, then using AllowGroups would be a better choice and place all of the required IDs into the group specified

This would allow users A, B, C and D to login AllowUsers A B C D

The following would not work, only users C and D would be able to login: AllowUsers A B AllowUser C D

It works on RHEL 6

AllowUsers root AllowUsers test-user

root is able to login with above config in sshd_config. I'll test it on RHEL7 and post here. I just wanted to know what's the official documentation say.

The ability of the root ID to login would more likely be controlled by the PermitRootLogin keyword rather than AllowUsers. PermitRootLogin defaults to yes unless overridden in sshd_config

It works as Lokanadhan said. Any user who is defined in 'AllowUsers' would gets allowed and this is true irrespective of whether it is defined in multiple lines. Check out this:

[root@rhel7 ~]# sshd -T|grep allowuser
allowusers test1
allowusers test2

I was able to do ssh into this system from another system as both 'test1' & 'test2' user :

[root@ansiblehost ~]# ssh test1@rhel7
test1@rhel7's password:
Last login: Wed Jan 23 04:10:52 2019 from ansiblehost
[test1@rhel7 ~]$ logout
Connection to rhel7 closed.

[root@ansiblehost ~]# ssh test2@rhel7
test2@rhel7's password:
Last login: Wed Jan 23 01:59:35 2019 from ansiblehost
[test2@rhel7 ~]$ logout

Any user who is not allowed would by default gets denied :

[root@ansiblehost ~]# ssh test3@rhel7
test3@rhel7's password:
Permission denied, please try again.

Lokanadhan, if there is a requirement to set large number of users in the 'AllowUsers' list then it is better that you add all users into a group and then set 'AllowGroups' parameter in the configuration file as Darrell told before. However, declaring multiple lines of 'AllowUsers' does works.

Thank you. I know this works, I just wanted your opinion on the official/best way to do it.

Thank You all again.