# sshd_config DenyUsers and AllowUsers have no effect



## nforced (Feb 9, 2018)

I have a little frustration here, I can't restrict logins to sshd.

I got these two lines at the end of my /etc/ssh/sshd_config file

```
DenyUsers baduser
AllowUsers remote
```

I did service sshd reload (and restart) with no effect, any user on the system can login including baduser which should be explicitly denied...

Any suggestions?


----------



## nforced (Feb 9, 2018)

Silly me!


```
Match Group sftponly
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

DenyUsers baduser
AllowUsers remote
```

Match blocks must be at the bottom of the config file or as in my case anything appended after the match block will be considered part of the match...
So DenyUsers and AllowUsers were only applied to users part of the sftponly group - not what I wanted!

There is one other trick that can be done here if one is still willing to put global directives after Match block

```
Match All
       DenyUsers baduser
       AllowUsers remote
```


----------

