I have a number of development machines behind my OpenBSD firewall which all provide a very permissive development account (and easy sudo). I don't want this account exposed on the internet side of the firewall, so I created a doorstep account with no perms and really long passwords to get anywhere useful. I looked through the SSH book and it gave me the impression that I could set up these rules: AllowUsers wiz@*.myhouse.nat AllowUsers doorstep@* But when I tested it was clear that OpenSSH 2.9 doesn't support this syntax. Then I searched this list and I found a post from June 4 by Andrew Tridgell supplying a patch to provide exactly this functionality. Actually I initially thought there might be an ipf-like syntax: AllowUsers wiz at xl0 The other option is to run different instances of sshd bound to different interfaces, with different config files. I'd rather not. Andrew's patch would do the job just fine. I hope it gets incorporated, especially since the SSH book implies that this kind of access control is possible. Allan
On Wed, 13 Jun 2001, Allan Stokes wrote:> Andrew's patch would do the job just fine. I hope it gets incorporated, > especially since the SSH book implies that this kind of access control is > possible.This has been a feature of SSH.COM's sshd for a long time, and this is what the book is probably referring to. Basically methods to control connecting hosts in sshd_config have been removed from OpenSSH because most of these features are provided by tcp_wrappers. Default tcp_wrappers can't handle the situation you're describing, or one where you want to use wildcards in all possible places in hostname definitions. There has been some debate on this in the past, but Markus et al haven't seen the need for this. Perhaps user at host control would be a "killer-application" in this regard? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
> This has been a feature of SSH.COM's sshd for a long time, and this is > what the book is probably referring to.On page 6 the SSH book provides a secret decoder ring: SSH - generic term SSH-1 - the SSH protocol version 1 SSH-2 - the SSH protocol version 2 SSH1 - TY's ssh1 SSH2 - TY's ssh2 ssh - the client program (which is sometimes called ssh1 and ssh2) OpenSSH - OpenSSH from the OpenBSD project OpenSSH/1 - OpenSSH's behaviour wrt SSH-1 OpenSSH/2 - OpenSSH's behaviour wrt SSH-2 Section 5.5.2 gives examples of access control. I'll cite the examples attributed to OpenSSH which include wildcards, grouped by scope, ignoring examples which focus on Accept/Deny interaction. # SSH1, SSH2, OpenSSH AllowUsers ?mith AllowUsers s*@*.edu # page 179 # SSH1, OpenBSD AllowUsers smith jones cs* AllowGroups ?aculty s*s Hmm, not much meets the stated criteria. I'll also quote one small passage: <<< Finally, here is a useful configuration example, expressed in SSH1 syntax: AllowUsers walrus@* carpenter@* *@*.beach.net>>>We can cross out "probably referring" and replace it with "explicitly states". The SSH book explicitly documents that OpenSSH handles this syntax (erroneously for the time being) with a tip of the hat about the utility of this feature. Allan
Possibly Parallel Threads
- AllowUsers Change
- Problem, possibly bug with AllowUsers & DenyUsers
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- more flexible AllowUsers/DenyUsers syntax
- PermitRoot without-password doesn't work if AllowUsers user1 user2 set, but root not included; Also some bug in auth.c (Me thinks)