Comments 9 Posted In Red Hat Enterprise Linux Tags ssh Multiple AllowUsers entry in sshd_Config? Latest response 2019-01-31T08:10:48+00:00 Can we have Multiple AllowUsers entry in sshd_Config? It seems to be working on few and not on few hosts. What's the official way to do it. LK Started 2019-01-30T11:29:00+00:00 by Lokanadhan Karthik Community Member 25 points Log in to join the conversation Responses Sort By Oldest Sort By Newest SM Guru 5838 points 30 January 2019 1:04 PM Sadashiva Murthy M Hi Lokanadhan, Ideally it should work. As per the man page of 'sshd_config'...... AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. All of the specified user and group tests must succeed, before user is allowed to log in. So, if there is a 'denyusers' defined then it would take precedence and also take a note of the 'denygroups' as well. There is nothing defined which limits in declaring multiple 'AllowUsers' parameter in '/etc/ssh/sshd_config' file. Each 'AllowUsers' lines would be parsed one by one and any users not found in those list would be denied access. You may validate allowusers list by running the command '# sshd -T|grep allowusers '. If there is still a concern, please write back with more details, and version of RHEL and SSH being used. LK Community Member 25 points 30 January 2019 1:57 PM Lokanadhan Karthik That's what i thought too. But my engineering team believes otherwise. On a server they were not able to login, because of multiple entries. ( not sure how that happened ). I've asked them to validate on few other servers and confirm. I just wanted to know your thoughts on this, since i couldn't find anything official. I'll wait for my team to validate and get back. Will update here with the results. MS Pro Community Member 414 points 30 January 2019 1:53 PM Mohammed Sadiq Can you share your entries from sshd_config to see how you have done . LK Community Member 25 points 30 January 2019 1:57 PM Lokanadhan Karthik Will do, if my engineering team finds issues on more servers. DH Community Member 25 points 30 January 2019 3:55 PM Darrell Hoffman The AllowUsers keyword can appear only once in sshd_config but it can list multiple user IDs on that line. If there are multiple lines with AllowUsers on it, then only entries on the last AllowUsers line would be permitted to login. If you need a large number of IDs to be allowed access, then using AllowGroups would be a better choice and place all of the required IDs into the group specified This would allow users A, B, C and D to login AllowUsers A B C D The following would not work, only users C and D would be able to login: AllowUsers A B AllowUser C D LK Community Member 25 points 30 January 2019 4:08 PM Lokanadhan Karthik It works on RHEL 6 AllowUsers root AllowUsers test-user root is able to login with above config in sshd_config. I'll test it on RHEL7 and post here. I just wanted to know what's the official documentation say. DH Community Member 25 points 30 January 2019 4:13 PM Darrell Hoffman The ability of the root ID to login would more likely be controlled by the PermitRootLogin keyword rather than AllowUsers. PermitRootLogin defaults to yes unless overridden in sshd_config SM Guru 5838 points 31 January 2019 6:10 AM Sadashiva Murthy M It works as Lokanadhan said. Any user who is defined in 'AllowUsers' would gets allowed and this is true irrespective of whether it is defined in multiple lines. Check out this: [root@rhel7 ~]# sshd -T|grep allowuser allowusers test1 allowusers test2 I was able to do ssh into this system from another system as both 'test1' & 'test2' user : [root@ansiblehost ~]# ssh test1@rhel7 test1@rhel7's password: Last login: Wed Jan 23 04:10:52 2019 from ansiblehost [test1@rhel7 ~]$ logout Connection to rhel7 closed. [root@ansiblehost ~]# ssh test2@rhel7 test2@rhel7's password: Last login: Wed Jan 23 01:59:35 2019 from ansiblehost [test2@rhel7 ~]$ logout Any user who is not allowed would by default gets denied : [root@ansiblehost ~]# ssh test3@rhel7 test3@rhel7's password: Permission denied, please try again. Lokanadhan, if there is a requirement to set large number of users in the 'AllowUsers' list then it is better that you add all users into a group and then set 'AllowGroups' parameter in the configuration file as Darrell told before. However, declaring multiple lines of 'AllowUsers' does works. LK Community Member 25 points 31 January 2019 8:10 AM Lokanadhan Karthik Thank you. I know this works, I just wanted your opinion on the official/best way to do it. Thank You all again.