bugzilla-daemon at bugzilla.mindrot.org
2008-Dec-18 20:54 UTC
[Bug 1546] New: sshd_config DenyUsers does not recognize negated host properly
https://bugzilla.mindrot.org/show_bug.cgi?id=1546
Summary: sshd_config DenyUsers does not recognize negated host
properly
Product: Portable OpenSSH
Version: 5.1p1
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P4
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: eric.sisson at gmail.com
Created an attachment (id=1590)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1590)
diff output for file match.c
The following specification in sshd_config
DenyUsers oracle@!localhost.localdomain
intended to allow user oracle to connect only from the localhost (that
is, from another user already logged into the host) still allows user
oracle to connect from remote hosts.
I traced this to the fact that function ``match_pattern_list'' in file
``match.c'' lacks code to handle this case. The attachment contains a
diff to add the missing code in the form of an ``else'' branch to an
``if'' block near the end of the major ``for'' loop in the
function.
Although the diff is relative to the 5.1p1 version, I encountered the
problem working with the 3.9p1 version; the code is consistent in these
versions.
The meaning of the additional code is the following:
- If a string fails to match the subpattern of the configuration, then
execution will flow into ``else'' branch.
- Normally, the failure of a match is a failure (``got_positive''
retains its initialized value of zero).
- However, where a failure is desired (the ``!'' in the specification
subpattern), then the occurrence of a failure is a ``success'', so
``got_positive'' should be set to one.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-07 15:15 UTC
[Bug 1546] sshd_config DenyUsers does not recognize negated host properly
https://bugzilla.mindrot.org/show_bug.cgi?id=1546 --- Comment #1 from Eric Sisson <eric.sisson at gmail.com> 2009-01-08 02:15:53 --- I had posted a message to openssh-unix-dev on this issue, and I received a reply suggesting that instead of modifying the code of OpenSSH to recognize my sshd_config configuration directive DenyUsers oracle@!localhost.localdomain I should specify instead DenyUsers oracle@*,!localhost.localdomain I have tried this and it does work. However, this seems less direct and obvious than my (unsuccessful) specification, and I still think that mine should be allowed to work. I will admit that my proposed change may have unintended consequences. At this point, I am not sure whether the problem properly may be described as a logic error in the code, obscure semantics of the pattern-matching algorithm, or incomplete documentation of the pattern-matching specifications. I will defer to the judgement of the OpenSSH team on how best to handle this situation. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
Reasonably Related Threads
- Request change to file match.c, function match_pattern_list
- more flexible AllowUsers/DenyUsers syntax
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- [PATCH 2/2] Cygwin: implement case-insensitive Unicode user and group name matching
- [Bug 3193] New: Add separate section in sshd_config man page on Access Control