Using Allow and Deny Keywords

The following keywords are available for controlling access to users, groups, and/or client host computers:

AllowUsers, DenyUsers, AllowGroups, DenyGroups, AllowHosts, DenyHosts, AllowTcpForwardingForUsers, DenyTcpForwardingForUsers, AllowTcpForwardingForGroups, DenyTcpForwardingForGroups, ForwardACL

You can specify users, groups, or hosts for any of these keywords by using a single instance of the keyword with a comma-separated list of values, or by including multiple instances of the keyword, in which case the final assigned value is cumulative over all instances.

The server uses the following logic to determine whether to allow a connection.

  1. Check to see if any "Deny" keywords are configured for a given access category (hosts, users, group, or TCP forwarding); and deny access if the client matches any denied expression.
  2. Check to see if any "Allow" keywords are configured for the same category.
    • If no "Allow" keywords are configured, access is granted.
    • If any "Allow" keywords are configured, the server allows access only if the client matches an allowed expression.


The following samples show how you can allow access, deny access, or use a combination of allow and deny.



Allow access only to users whose name starts with "abc".

AllowUsers= abc.*

Deny access to client hosts with an IP address that begins with 123.156.78, and allow access to users on any other client.



Allow access to all hosts in the domain except badpc, and deny access to clients from any other domain.




Deny access to all hosts in the domain, including mypc, and allow access to clients from any other domain.





Note: Without the final line, no clients would be allowed access. This is because once any client is added to the allow list, clients are allowed access only if they match an allowed expression.

Note: You can also configure user-specific and host-specific settings using subconfiguration files.

Related Topics

Server Subconfiguration Files

Access Control Settings