It seems the syntax for AllowUsers in sshd_config is not the same that is given in man sshd_config and in several documentation on the web. (http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config)

e.g.

AllowUsers root

does work.

AllowUsers root username

does not work.

If I try to login as root I get "User root from <hostname> not allowed because not listed in AllowUsers". I tried separating by comma (just in case) which fails as well.

man page mentions checking against hosts only if you use a root@hostname pattern there.

AllowUser root@* username

works for me (with root, didin't check the username), but this should not be necessary according to documentation. If "root" is allowed as a "pattern" it doesn't matter if there are more "patterns" coming or not.

It seems that as soon as two names are listed it's read as one user ("root username"), e.g. it does not use the whitespace as a terminator.

UsePAM=no , in case that makes a difference. CentOS 5.9, standard OpenSSH.

I've noticed this discrepancy already in the past, but didn't investigate. I also think that this syntax contradicts what man ssh_config says about pattern lists, because for pattern-lists (which I understand is a list of patterns for one directive) ssh wants a comma-separated list. http://www.openssh.com/cgi-bin/man.cgi?query=ssh_config (man sshd_config says to look in ssh_config for pattern syntax.)

I think this is a serious bug as it can lock you out very quickly while you want to secure your machine (once you want to have more than one user).

Do you share the same opinion or am I doing something wrong and it works like advertised?

Kai