On Sat, Mar 18, 2006 at 01:17:19PM -0500, Ron Wheeler wrote:
> It does not seem to work.
> It appears that for sshd, sshusers would have to be their primary group
> and it is not.

sshd checks the supplemental group ids by using getgrouplist. Is it
possible that your system doesn't return those (eg if the data source
isn't listed in nsswitch.conf?)

> It also appears that the Allow* directives act like seives. You have to
> pass all of the specified criteria to get in.
> This means they would have be in the right group AND local rather than
> OR which is what I need.

Not exactly. Once you have either of AllowUsers or AllowGroups then
the entire list of that type of directive will be checked before any
login not matching at least one rule of that type is denied.

So it's a logical OR within types and a logical AND across types. That's
why I suggested using two AllowGroups directives in my follow-up post.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.