1.3-epa3 - SSH access control directives misleading

The Equuleus documentation lists:

set service ssh access-control <allow | deny> <group | user> <name>

Add access-control directive to allow or deny users and groups.
Directives are processed in the following order of precedence: `deny-users`, `allow-users`, `deny-groups` and `allow-groups`.

Yet when I set the following configuration:

    ssh {
        access-control {
            allow {
                user vyos
            deny {
                group vyattacfg
        port 22

My vyos user login via SSH is denied.

Shouldn’t my login be allowed according to the following order of precedence: deny-users, allow-users, deny-groups and allow-groups? That is, allow-users is evaluated before deny-groups, correct?

I see the following in syslog:

Nov  6 15:43:36 vyos sshd[5515]: User vyos from host not allowed because a group is listed in DenyGroups

Why is the allow-users entry not taking precedence?


Hello @Klipz,

What method do you use to put users into groups?

The vyattacfg group in my example is a built in group, and it appears that all local users created via the “system login” configuration tree are added to it.

I only want the vyos user to be able to login via ssh, and all other local users denied.

Regardless of how users are added to the group, it does exist and the users are in it. Is the documentation right or wrong, and how is the ssh access-control precedence really evaluated?

Side comment - this bug(?) makes me appreciate the granular controls that exist in DANOS and I wish VyOS had a similar level of fine-grained control.

The allow rule is sufficient to exclude all users except allowed users. For example:

set system login user tstA authentication plaintext-password Password
set system login user tstB authentication plaintext-password Password
set system login user tstC authentication plaintext-password Password

set service ssh access-control allow user tstA

Result - only user tstA can connect to the router
Groups are not needed in this case


Thank you, this works for my use case. I am still vaguely concerned about the documentation of the ssh access control directives. It is not quite clear how it would or should work in cases where you’ve got multiple directives entered for both allow and deny.

Thanks again for the support!

Nice that it helped
I agree with you. The situation with the groups is not clear

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.