Hello, I've trawled archives looking for changes in the "AllowUsers" option, manuals, changes log, reported bugs and to my surprise I can't find anything or anyone that has reported the issues that I am experiencing. I am using the default installation sshd_config file as supplied by Redhat and the only options I have changed are: ListenAddress AllowUsers The first problem exists on both of the following versions oppenssh-3.5p1 and oppenssh-3.9p1 1) I have on one of our servers the line in the sshd_config file: AllowUsers root at 192.168.100.* root at 192.168.102.* The server that runs the sshd only allows ssh clients to connect from the sub-net 192.168.100.0/24. Where as one would expect it to allow connections from both the listed sub-nets 192.168.100.0/24 and 192.168.102.0/24. Basically if I try connecting from the 192.168.102.0/24 sub-net I get the "User root not allowed because not listed in AllowUsers" error. The weird thing here is that if I change the option: ListenAddress :: to ListenAddress my-server then the problem goes away. There appears to be nothing in the documentation that suggests the ListenAddress setting effects the AllowUsers setting. The second problem is not present on the oppenssh-3.5p1-6 but is present on the later version oppenssh-3.9p1-8. The problem has arisen after upgrading from Redhat Linux 9 (oppenssh-3.5p1-6) to Redhat Enterprise Linux 4 (oppenssh-3.9p1-8.RHEL4.1) 2) I have on one of our servers the line in the sshd_config file: AllowUsers root at 192.168.100.12 root@*.mycompany.com donald at 192.168.100.99 donald@*mydomain.com User root can log on from the specified IP address or any domain which matches the pattern *.mycompany.com. Note that the *.mycompany.com domains are all machines on a local sub-net with their domain names specified in the /etc/hosts file. The user donald can connect from the local sub-net specified IP address but cannot connect from an external domain that matches the pattern *mydomain.com. The only way I can get the user donald to connect on the external domain is by putting the exact IP address in the AllowUsers option, which is not particularly useful as it is a dynamically changing IP address. As I have already stated, the exact same AllowUsers option used to work fine under the older (3.5p1) version of openssh. I tried setting the option UseDNS to no but that makes no difference. Can somebody tell me if these are known problems or simply features (that's the way its supposed to work)? If they are known or new problems are they likely to be fixed in the latest version? Regards Donald Fraser Ps I particularly like the idea put forward by Patrick Gosling on 2005-01-20 10:27:17 titled: AllowUsers - proposal for useful variations on the theme
On Thu, Nov 17, 2005 at 12:50:53PM -0000, Donald Fraser wrote: [...]> The first problem exists on both of the following versions oppenssh-3.5p1 > and oppenssh-3.9p1 > 1) I have on one of our servers the line in the sshd_config file: > AllowUsers root at 192.168.100.* root at 192.168.102.* > > The server that runs the sshd only allows ssh clients to connect from the > sub-net 192.168.100.0/24. > Where as one would expect it to allow connections from both the listed > sub-nets 192.168.100.0/24 and 192.168.102.0/24. > Basically if I try connecting from the 192.168.102.0/24 sub-net I get the > "User root not allowed because not listed in AllowUsers" error. > > The weird thing here is that if I change the option: > "ListenAddress ::" to "ListenAddress my-server" > then the problem goes away.The problem is that when you specify "::" as the ListenAddress, the kernel is reporting IPv4 connections as IP4-in-6 mapped ones (ie ::ffff:xxxx), which don't match the IP addresses you specified. If you specify the IPv6 addresses the kernel reports to sshd then it will work. OpenSSH 4.1 and up work around this by "normalising" the addresses first. From the ChangeLog: - (dtucker) [canohost.c] normalise socket addresses returned by get_remote_hostname(). This means that IPv4 addresses in log messages on IPv6 enabled machines will no longer be prefixed by "::ffff:" and AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only for 4-in-6 mapped connections, regardless of whether or not the machine is IPv6 enabled. ok djm@ And the trivial patch: diff -u openssh_cvs/canohost.c:1.47 openssh_cvs/canohost.c:1.48 --- openssh_cvs/canohost.c:1.47 Tue Mar 1 21:16:19 2005 +++ openssh_cvs/canohost.c Tue May 3 19:05:32 2005 @@ -251,6 +251,8 @@ if (addr.ss_family == AF_INET6) addrlen = sizeof(struct sockaddr_in6); + ipv64_normalise_mapped(&addr, &addrlen); + /* Get the address in ascii. */ if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), NULL, 0, flags)) != 0) {> The second problem is not present on the oppenssh-3.5p1-6 but is present on > the later version oppenssh-3.9p1-8.[snip description] An explanation for this one does not immediately spring to mind. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Thu, Nov 17, 2005 at 12:50:53PM -0000, Donald Fraser wrote:> The user donald can connect from the local sub-net specified IP > address but cannot connect from an external domain that matches the > pattern *mydomain.com. The only way I can get the user donald to > connect on the external domain is by putting the exact IP address > in the AllowUsers option, which is not particularly useful as it is > a dynamically changing IP address.Does the PTR record for the IP address change along with the A record for the name? I assume sshd does a reverse-lookup of the IP-adress, otherwise it would be completely trivial to bypass the check. //Peter
Apparently Analagous Threads
- AllowUsers Change
- PermitRoot without-password doesn't work if AllowUsers user1 user2 set, but root not included; Also some bug in auth.c (Me thinks)
- Problem, possibly bug with AllowUsers & DenyUsers
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- more flexible AllowUsers/DenyUsers syntax