OpenSSH DenyUsers negate

Hi all,

Am I missing something? According to the man pages this should work:

cat /etc/ssh/sshd_config.d/01-permitrootlogin.conf
PermitRootLogin yes
DenyUsers root@!

Allow root login but ONLY when it’s not from Well, that’s not working… :(

However, changing the configuration will make it work:

PermitRootLogin yes
DenyUsers root@*,!

Am I misreading the man pages or is this a bug, for a long time there…?


Hello and welcome to the openSUSE forums.

Sorry, but saying “it does (not) work” is not something that tells much in a computer environment.

You should explain

  • what you did (and we have only some configurations, but you did not tell what you did);
  • what happened (this is missing complete);
  • what you expected to happen (this is also missing).

So we can only guess what you mean with “working”. And guessing from this side will probably lead to misunderstandings and bad advice.

Oh, and please select you pieces of computer text and then hit the </> button in the tool bar of the post editor. That will make the computer text much more readable and understandable.

from how I understand the syntax I would have said that in

There is a lack of the ips that you exclude from.
So, the * (any ip) as in your second example.

Instead of the


I would have put a space. Does it work with a space instead?

Yes, you are misreading man pages. Check out man ssh_config again, it’s pretty definitive.

OK, some more clarification:

I was expecting user root root can only login from Well, logging in from another IP-address is possible also:

ssh 'whoami'

But Busy Penquin was right, it’s in the man 5 ssh_config:

…the following pattern list will fail: from=“!host1,!host2”

The solution here is to include a term that will yield a positive match,
such as a wildcard: from=“!host1,!host2,*”

Hence: this one also works:

DenyUsers root@!,*

Logging in from localhost will now result into:

journalctl -l -u sshd.service
User root from not allowed because listed in DenyUsers

And to make it all complete I changed the config to:

DenyUsers root@!,!,!::1,*

So, great, it’s working; thanks for the help.


1 Like

Yep, you’re right. Thanks for the hint, see my other response earlier.

1 Like