How to use both AllowGroups and AllowUsers in sshd_config?

Solution 1:

Yes, AllowUsers takes precedent over AllowGroups. If specified, only the users that match the pattern specified in AllowUsers may connect to the SSHD instance.

According to sshd_config manpage:

The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

So, the solution to your problem is probably to use one or the other, possibly the group access directives if groups are your preferred way to manage users.

Solution 2:

Jeff's answer covers the specifics of the question as detailed, but I found this question looking to use AllowUsers and AllowGroups in a slightly different scenario. I wanted to restrict incoming connections to users in a group (ssh) coming from specific subnets.

The connection rules in sshd_config are a filter - as each additional rule is applied, the set of acceptable users can only be reduced. PATTERNS in ssh_config(5) explain the form of those rules.

Additionally, according to the AllowUsers section of sshd_config:

If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format.

AllowGroups doesn't accept the USER@HOST form.

So, to accept users 1) in the ssh group and 2) from specific subnets/hosts:

AllowUsers *@192.168.1.0/24 *@*.example.com *@1.2.3.4
AllowGroups ssh

---

Solution 3:

Here is a solution we have found working:

AllowUsers user1 user2
Match group ssh-users
    AllowUsers *