From owner-freebsd-doc@FreeBSD.ORG  Tue Jun 20 04:33:16 2006
Return-Path: <owner-freebsd-doc@FreeBSD.ORG>
X-Original-To: freebsd-doc@FreeBSD.org
Delivered-To: freebsd-doc@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5A8BA16A474
	for <freebsd-doc@FreeBSD.org>; Tue, 20 Jun 2006 04:33:16 +0000 (UTC)
	(envelope-from doug@fledge.watson.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DAD0D43D46
	for <freebsd-doc@FreeBSD.org>; Tue, 20 Jun 2006 04:33:15 +0000 (GMT)
	(envelope-from doug@fledge.watson.org)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1])
	by fledge.watson.org (8.13.6/8.13.6) with ESMTP id k5K4XEda074354
	for <freebsd-doc@FreeBSD.org>; Tue, 20 Jun 2006 00:33:14 -0400 (EDT)
	(envelope-from doug@fledge.watson.org)
Received: from localhost (doug@localhost)
	by fledge.watson.org (8.13.6/8.13.6/Submit) with ESMTP id
	k5K4XEpK074350
	for <freebsd-doc@FreeBSD.org>; Tue, 20 Jun 2006 00:33:14 -0400 (EDT)
	(envelope-from doug@fledge.watson.org)
Date: Tue, 20 Jun 2006 00:33:14 -0400 (EDT)
From: doug <doug@fledge.watson.org>
To: freebsd-doc@FreeBSD.org
Message-ID: <20060620002333.X70608@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: 
Subject: sshd_config directive processing
X-BeenThere: freebsd-doc@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Documentation project <freebsd-doc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-doc>
List-Post: <mailto:freebsd-doc@freebsd.org>
List-Help: <mailto:freebsd-doc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2006 04:33:16 -0000

The OpenSSH man page for sshd_config specifies that the allow/deny directives 
are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and 
finally AllowGroups.

This should be specified in the FreeBSD man pages to prevent attempts such as:

    AllowUsers root@specific-host
    DenyUsers root*

While I think processing AllowUsers before DenyUsers allows some very useful 
things to be done, OpenSSH defines the processing in the listed order. 
Specifying the order in the man page lets admins avoid useless attempts.


Doug Denault