Mailing List Archive

Multiple AllowGroup lines in sshd_config?
Hi!

I'm experimenting with migrating the custom sshd_config settings for our
(Debian bullseye, openssh-server 8.4) server environment into fragments
under sshd_config.d/, and am wondering about sshd's behaviour when
encountering multiple AllowGroup lines.

The manual states "For each keyword, the first obtained value will be
used.", so that gives me the impression that any lines after the first
should be ignored. However, my testing seems to contradict this - if I
have two lines granting access to different groups, both groups get access.

So it seems like these are equivalent:

> AllowGroups foo bar

> AllowGroups foo
> AllowGroups bar


Is this behaviour to be expected? It could of course also be Debian
introducing special behaviour, but I thought I should check here first.

/T


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Multiple AllowGroup lines in sshd_config? [ In reply to ]
Hi!

I'm experimenting with migrating the custom sshd_config settings for our
(Debian bullseye, openssh-server 8.4) server environment into fragments
under sshd_config.d/, and am wondering about sshd's behaviour when
encountering multiple AllowGroup lines.

The manual states "For each keyword, the first obtained value will be
used.", so that gives me the impression that any lines after the first
should be ignored. However, my testing seems to contradict this - if I
have two lines granting access to different groups, both groups get access.

So it seems like these are equivalent:

> AllowGroups foo bar

> AllowGroups foo
> AllowGroups bar


Is this behaviour to be expected? It could of course also be Debian
introducing special behaviour, but I thought I should check here first.

/T



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Multiple AllowGroup lines in sshd_config? [ In reply to ]
On 02/03/2023 16:11, Erik Thuning wrote:
> am wondering about sshd's behaviour when encountering multiple
> AllowGroup lines.
>
> The manual states "For each keyword, the first obtained value will be
> used.", so that gives me the impression that any lines after the first
> should be ignored. However, my testing seems to contradict this - if I
> have two lines granting access to different groups, both groups get
> access.
>
> So it seems like these are equivalent:
>
>> AllowGroups foo bar
>
>> AllowGroups foo
>> AllowGroups bar
>
>
> Is this behaviour to be expected?

I see the same as you, but I think it's to be expected.  There are other
settings like HostKey and AcceptEnv which can be repeated and which are
combined into a list of values.

You can see this if you run /usr/sbin/sshd -T

...
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowgroups redis
allowgroups brian
acceptenv LANG
acceptenv LC_*
...

I get the same whether I use

AllowGroups redis brian

or

AllowGroups redis
AllowGroups brian

Similarly, if I put "AcceptEnv blah" then this is added to the other
AcceptEnv settings - it does not override them (and I don't know how to
empty the list).

I agree that the "For each keyword..." note in the sshd_config manpage
could be misleading for these cases.

Regards,

Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Multiple AllowGroup lines in sshd_config? [ In reply to ]
On Thu, 2 Mar 2023, Erik Thuning wrote:

> Hi!
>
> I'm experimenting with migrating the custom sshd_config settings for our
> (Debian bullseye, openssh-server 8.4) server environment into fragments under
> sshd_config.d/, and am wondering about sshd's behaviour when encountering
> multiple AllowGroup lines.
>
> The manual states "For each keyword, the first obtained value will be used.",
> so that gives me the impression that any lines after the first should be
> ignored. However, my testing seems to contradict this - if I have two lines
> granting access to different groups, both groups get access.
>
> So it seems like these are equivalent:
>
> > AllowGroups foo bar
>
> > AllowGroups foo
> > AllowGroups bar
>
>
> Is this behaviour to be expected? It could of course also be Debian
> introducing special behaviour, but I thought I should check here first.

Yeah, sshd_config isn't 100% consistent at implementing first-match-wins
and Allow/DenyUsers/Groups is one of the exceptions. That's not excuse for
our not documenting this.

diff --git a/sshd_config.5 b/sshd_config.5
index 51cf89e..4587f1f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -48,7 +48,7 @@ reads configuration data from
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
-For each keyword, the first obtained value will be used.
+Unless noted otherwise, for each keyword, the first obtained value will be used.
Lines starting with
.Ql #
and empty lines are interpreted as comments.
@@ -120,6 +120,9 @@ The allow/deny groups directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm AllowStreamLocalForwarding
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
The available options are
@@ -177,6 +180,9 @@ The allow/deny users directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm AuthenticationMethods
Specifies the authentication methods that must be successfully completed
for a user to be granted access.
@@ -630,6 +636,9 @@ The allow/deny groups directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm DenyUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
@@ -648,6 +657,9 @@ The allow/deny users directives are processed in the following order:
See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+This keyword may appear multiple times in
+.Nm
+with each instance appending to the list.
.It Cm DisableForwarding
Disables all forwarding features, including X11,
.Xr ssh-agent 1 ,
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev