I have a question on the meaning of AllowUsers in the /etc/sshd_conf configuration file.
Do you use "AllowUsers username ..." to enforce a deny all except policy versus using "DenyUsers" to just deny certain users.
If you have the entry:
Does this mean that all users are denied except for the users "mike" and "john".

The example on page 295 of "Securing and Optimizing Linux: The Ultimate Solution" seems to imply that this is the case.
http://www.tldp.org/LDP/solrhe/Secur...ution-v2.0.pdf

Also, how is AllowGroups used in combination with AllowUsers?
If you have 3 members of the wheel group that you want to allow to log into ssh and allow the users "mike" and "john" access who are not members of the wheel group, would this suffice:
or would the AllowUsers entry take precedence?
Would this combination
allow the members of the wheel group and the members of the sshusers group access and deny all other users?

My understanding is that for a workstation or home computer, with a small fixed set of users, using AllowUsers alone is the best plan of action, whereas for a server that has many users connecting, using AllowGroups and denying systems users with DenyUsers to control access and using PAM for authentication would work best.

One last question. Does the order of the Deny and Allow entries make a difference?

I use the AllowUsers directive because most of my users don't need ssh access. On my version of OpenSSH (4.3p1 on Slackware) it does mean that all users are denied except mike and john. I have seen other people use AllowGroups and just allow an ssh group so they don't have to restart ssh when adding new users to the system.
On my system, regardless of which line comes first, AllowUsers takes precedence and stops AllowGroups from working.
On my system, the DenyUsers entry takes precedence over AllowUsers regardless of which order they appear. For example, adding a user to both entries (AllowUsers and DenyUsers) results in the user being denied.

Hope that helps.

Thank you for your response.

I didn't know that AllowUsers trumps AllowGroups. So one of my examples wouldn't work:
AllowUsers mike john
AllowGroups wheel

And instead, I'd need to make a sshusers group and use the line:
AllowGroups wheel sshusers

The sshd_config manpage does not point this out.

Thanks again.

No problem I checked it again to make sure I had the behaviour right - AllowUsers does override AllowGroups meaning only one of them can be used. I also tried using AllowGroups wheel sshusers and that worked.

I can't find anywhere (docs or google) that lists the precedence of the hosts/groups/users operators so I'd be interested if you find out more about this.

I was starting to question my own sanity when I found this post. Nowhere else was I able to find any mention of precedence in 'Allowxxxxx' under ssh_conf.

I had users under AllowUsers and had a (has it happens the nx group for FreeNX) under AllowGroups but none of my users could log in despite being members of the nx group.

This solved my issue immediately. Just using AllowGroups now.

Thanks guys. This needs to be documented elsewhere.

jschiwal,
about the users and groups, it works same as file permissions,i.e, "users-groups..etc". Priority is given to users first then groups and so on.

Regards,
nm