Sshd AllowUsers ignored since upgrade to Buster?

Hi everybody!

Thanks for the great work on Yunohost, I just upgraded to YNH v4 on Buster and it is working like a charm.
However, I just noticed that the AllowUsers restriction in /etc/ssh/sshd_config does not seem to be enforced anymore since the upgrade. I just added a line with ‘AllowUsers username’ at the end of /etc/ssh/sshd_config and reload sshd to prevent other logins including the admin account, but I can still log as eg. admin and sshd does not complain about the account not being allowed by AllowUsers in /var/log/auth.log as it used to do.
It used to work well before the upgrade to Buster.
I also checked that it is enforced by Debian sshd on another Buster system I have, so I wonder if it could be linked to some configuration issue with pam_ldap somehow?

Thanks in advance for any hint.

Yes, if you tested on a vanilla Buster that this is supposed to work, then the main difference should come from the fact that these are ldap users …

Yes, I did test on a vanilla Buster and it did work.
Anyone else could confirm/infirm the issue? That would tell us if it is generic or only on my setup.

Silly me… I learnt something today: in sshd_config, Match blocks scope ends at next Match directive or end-of-file.
In other words, if you want to set any global setting such as AllowUsers etc. make sure it is set before any Match directive.
Sorry for the noise :confused:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.