Google Answers Logo
View Question
Q: using sshd_config to fine-tune remote login privs ( Answered 4 out of 5 stars,   1 Comment )
Subject: using sshd_config to fine-tune remote login privs
Category: Computers > Security
Asked by: destruktobot-ga
List Price: $20.00
Posted: 20 Jul 2005 09:35 PDT
Expires: 19 Aug 2005 09:35 PDT
Question ID: 545814
i require a combination of allowusers/denyusers directives that will
effect the following:

user FOO is allowed to login to this server from remote server BAR _only_.
all other users may login to this server from any host.

the closest i've gotten has been something like this:

denyusers FOO@*
allowusers *

{afaik, sshd_config does not support regexp, just * and ?}

/var/log/messages indicates that FOO cannot log in, because that
username is in the denyusers directive.  i have verified that hostname
BAR in lastlog and hostname BAR in sshd_config match.  the server in
question runs SLES 9 and OpenSSH_3.8p1

here are my stipulations:
shosts.equiv and solutions other than sshd_config aren't acceptable
for this task, sorry.

recompiling ssh isn't an option.

if the configuration that i desire is possible, please explain what
i'm doing wrong and how to effect it.  if it isn't possible, please
explain why.

Subject: Re: using sshd_config to fine-tune remote login privs
Answered By: efn-ga on 20 Jul 2005 22:02 PDT
Rated:4 out of 5 stars
Hi destruktobot,

Sorry, what you want is not possible.

You can get the desired effect for user FOO with the line


This both allows FOO to log in from that host and forbids FOO from
logging in from any other host.

The problem is that then there is no way to let everyone else log in
from anywhere.  Once you have any AllowUsers line, all other access is
blocked by default.  So what you really need is a line that means

AllowUsers anythingbut(FOO)

Unfortunately, as you have seen, the syntax allowed for these lines is
not flexible enough to express this meaning.  You are correct that
only the wildcard characters '?' and '*' are supported, and there is
no way to compose a sequence of characters that will match any string
but "FOO".

Similarly, it can't be done with DenyUsers.  As you have found, a
matching DenyUsers line will block access even if there is also a
matching AllowUsers line.  So you would need a line that means

DenyUsers FOO@anythingbut(

But as in the AllowUsers case, there is no way to get the
"anythingbut" effect with only the '*' and '?' wildcard characters.


The manual page on sshd_config confirms that only the '*' and '?'
wildcard characters are supported.

An article by Vincent Danen on "Optimizing OpenSSH" on the
website says "Be aware when using DenyUsers and AllowUsers in
combination; the DenyUsers will always have precedence."

Similarly, an article by Chris Wong on HP-UX Secure Shell says "If a
user is restricted by any option, that user will not be granted

I hope this is a satisfactory answer to your question.  If it's not
clear enough, please ask for a clarification.


destruktobot-ga rated this answer:4 out of 5 stars
Thanks to EFN for the thorough answer.  I had hoped for an
undiscovered solution, but the lack of one is hardly the researcher's
fault - at least no doubts and "what ifs" linger.

Subject: Re: using sshd_config to fine-tune remote login privs
From: bozo99-ga on 21 Jul 2005 12:18 PDT
This steps outside your planned constraint of using only the config
file but I thought it was worth a mention.

If you are prepared to set FOO a custom shell that he cannot change it could
test the value of SSH_CLIENT in the environment.  If the value is
satisfactory execute a proper shell, otherwise exit.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy