Hi, I hope this is the right place for a feature request. I'd like to have more flexible AllowUsers/DenyUsers synax. I am in a situation, where I have machines connected to three networks (a private, high speed, a public, and a private vpn) and I'd like to enable root logins only on the private networks. Currently I see no way of doing this, because there is no way to specify a class that doesn't match. Something like: AllowUsers ~root@* AllowUsers root at 10.0.2.0/24 AllowUsers root at 172.31.0.0/24 Would be really really friggin' nice. Even nicer would be to have acl statements with sophistication akin to squids configuration. Futher, it would be really nice to be able to understand when openssh treats a pattern match like an ip or network and when openssh treats a pattern match like a host or domain name. Are any features like this planned? Is what I am asking for reasonable? -- Daniel -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050628/d4dd1a54/attachment.bin
The easiest way to do this would be to have three sshd's running, but listening on different IP addresses. You could give each its own config file with the -f option and have only one of them allow root logins. Mike On Tue, 28 Jun 2005, Daniel Rogers wrote:> Hi, > > I hope this is the right place for a feature request. > I'd like to have more flexible AllowUsers/DenyUsers synax. > > I am in a situation, where I have machines connected to three networks (a > private, high speed, a public, and a private vpn) and I'd like to enable root > logins only on the private networks. Currently I see no way of doing this, > because there is no way to specify a class that doesn't match. Something > like: > AllowUsers ~root@* > AllowUsers root at 10.0.2.0/24 > AllowUsers root at 172.31.0.0/24 > Would be really really friggin' nice. > Even nicer would be to have acl statements with sophistication akin to squids > configuration. > > Futher, it would be really nice to be able to understand when openssh treats > a pattern match like an ip or network and when openssh treats a pattern match > like a host or domain name. > > Are any features like this planned? Is what I am asking for reasonable? > > -- > Daniel >
Daniel Rogers wrote:> I hope this is the right place for a feature request.It is.> I'd like to have more flexible AllowUsers/DenyUsers synax. > > I am in a situation, where I have machines connected to three networks > (a private, high speed, a public, and a private vpn) and I'd like to > enable root logins only on the private networks. Currently I see no > way of doing this, because there is no way to specify a class that > doesn't match. Something like: > AllowUsers ~root@* > AllowUsers root at 10.0.2.0/24 > AllowUsers root at 172.31.0.0/24You can already negate a "subpattern" with "!" (hmm, this fact appears to be missing from the man page), so you can probably do what you want with something like (untested): DenyUsers root@!10.0.2.* DenyUsers root@!172.31.0.* There are several components that could benefit from understanding CIDR notation, see http://bugzilla.mindrot.org/show_bug.cgi?id=976> Would be really really friggin' nice. > Even nicer would be to have acl statements with sophistication akin to > squids configuration. > > Futher, it would be really nice to be able to understand when openssh > treats a pattern match like an ip or network and when openssh treats a > pattern match like a host or domain name.Right now it always checks both, IP address first.> Are any features like this planned? Is what I am asking for reasonable?Yes but not a high priority. I'd like to see it incorporated into RequiredAuthentications (see http://bugzilla.mindrot.org/show_bug.cgi?id=983 and previous discussion on openssh-unix-dev) as an optional extension, ie RequiredAuthentications method[,method] [user at host] eg RequiredAuthentications password,rsa,hostbased root at 10.0.0.0/8 RequiredAuthentications rsa root@* PermitRootLogin would then become an alias for "RequiredAuthentications [methods] root". (The CIDR thing would probably be a simple project if someone wanted to code it.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Apparently Analagous Threads
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- Problem, possibly bug with AllowUsers & DenyUsers
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- Question about AllowUsers and AllowGroups
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters