https://bugzilla.mindrot.org/show_bug.cgi?id=1690
Darren Tucker <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Darren Tucker <[email protected]> 2010-01-04 13:10:57 EST --- The problem is that the way these things work is that they only ever provide a way to deny a login, not allow it. That is to say if that if a given login would be denied by any one of the directives then it'll be denied. It's neither first-match nor last-match. Changing this would require changing the semantics of the directives, which would change the behaviour of existing configurations. We could maybe do this, but it would need to be well documented in the release notes, and it's almost inevitable that someone somewhere wants the current behaviour. Instead, I think we should (a) improve the documentation, and (b) add a new directive that can work with the Match directive which would allow the rules to be expressed as first-match in whichever order makes sense for your purpose. You would be able to express your rules as something like: Match User joe AllowLogin yes Match Group joe AllowLogin no Match rules are processed first-match per directive, so this should do what you want, and also allows easier use of Address rules and suchlike. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
