From line 1714-1718 on the XML: #Noone else than members of wheel or admin should have access AllowGroups wheel admin #And 2 users AllowUsers kn bs According to these comments, it seems that we can use "AllowGroups" *AND* "AllowUsers" individually. But these settings are exclusive. In other words, if the user "kn" does not belong to "wheel" group, he can never log in via SSH. So I suggest the comment "#And 2 users" should be replaced "#Or only 2 users". Reproducible: Always Steps to Reproduce: 1. 2. 3.
Where do you find the information that these settings are exclusive? The manpage of sshd_config doesn't talk about exclusivity
Well, I'm not sure 'exclusive' is the correct word. I have just tested the setting referring to the guide. Then I found one can not login even if he is listed in AllowUsers when his group is not listed on AllowGroups. Here is a sample: server root # useradd foo -m -G users,wheel server root # useradd bar -m -G users server root # useradd baz -m -G users,wheel (edit /etc/ssh/sshd_config) AllowUsers foo bar AllowGroups wheel server root # /etc/init.d/sshd restart (foo can login) hagi@client hagi $ ssh foo@serevr foo@server's password: foo@server foo $ (bar cannot login even if he is listed on AllowUsers) hagi@client hagi $ ssh bar@serevr bar@server's password: Permission denied, please try again. (in the auth.log) User bar not allowed because none of user's groups are listed in AllowGroups (baz also cannot login even if his group listed on AllowGroups) hagi@client hagi $ ssh baz@serevr baz@server's password: Permission denied, please try again. (in the auth.log) User baz not allowed because not listed in AllowUsers
Created attachment 20375 [details, diff] Patch to gentoo security guide This patch adds a better explanation, making it clear for the users that both settings must apply (i.e. you must be in one of the allowed groups, and listed by the AllowUsers). If a docdev can review?
patch looks good
Committed. Thanks for reporting!