openssh unix dev - Sep 2007 - OpenSSH 4.7p1 - support the use of netgroups in AllowUsers and DenyUsers configuration options

Hello,

I have attached a small patch that enables OpenSSH 4.7p1 to use
netgroups for users and hosts entries in the AllowUsers and DenyUsers
configuration options in sshd_config.

This has the following advantages:

* hostnames or ip addresses don't have to be maintained in sshd_config,
but you can use meaningful names for groups of users and groups of
hosts.

* large scale installations can manage user groups and host groups in a
central name service like NIS, NIS+, LDAP.

* sshd_config files no longer change when users and/or hosts are
added/removed from the groups of users/hosts.

* administration effort for large installations is reduced

* maintaining a consistent setup across a large set of systems is much
easier.

* systems without PAM support (that cannot use e.g. pam_list or
pam_access) can now use netgroup based access restrictions.

* the patch uses innetgr(3c) so netgroups can be stored in NIS, NIS+ or
LDAP, or any other directory service that is plugged into nsswitch and
that has a netgroup back end.

The changes were developed by Albert Fluegel af at muc.de and he has given
me permission to submit them to OpenSSH.  I have ported them to the
current OpenSSH version, 4.7p1.  I also want to thank Darren J Moffat
for proposing to use innetgr(3c).  Any errors in the attached code
though are strictly mine.


While the syntax is not the nicest one (@myusers@@myhosts is a valid
entry), but using @ as a netgroup name prefix seems to be fairly common
(e.g. Linux NFS exports, shosts/rhosts, ...).  It also avoids that user
or host names are accidentally interpreted as netgroups or vice versa.


Cheers
	--pwo


--
Peter W. Osel -- http://pwo.de/ -- pwo at pwo.de



---snip--snap-------------------------------------------------------------------

diff -ru openssh-4.7p1/match.c openssh-4.7p1_pwo0/match.c
--- openssh-4.7p1/match.c	Fri Aug  4 22:39:40 2006
+++ openssh-4.7p1_pwo0/match.c	Mon Sep 17 15:49:57 2007
@@ -204,6 +204,39 @@
 }
 
 /*
+ * match user in @netgroup
+ */
+int
+match_user_or_netgroup(const char *user, char *pattern)
+{
+	if(pattern[0] != '@')
+		return match_pattern(user, pattern);
+
+#ifdef	HAVE_INNETGR
+	return innetgr(pattern + 1, NULL, user, NULL);
+#else
+	return 0;
+#endif
+}
+
+/*
+ * match host in @netgroup
+ */
+int
+match_host_and_ip_or_netgroup(const char *host, const char * ipaddr, char
*pattern)
+{
+	if(pattern[0] != '@')
+		return match_host_and_ip(host, ipaddr, pattern);
+
+#ifdef	HAVE_INNETGR
+	return innetgr(pattern + 1, host, NULL, NULL)
+		|| innetgr(pattern + 1, ipaddr, NULL, NULL);
+#else
+	return 0;
+#endif
+}
+
+/*
  * match user, user at host_or_ip, user at host_or_ip_list against pattern
  */
 int
@@ -213,15 +246,18 @@
 	char *p, *pat;
 	int ret;
 
-	if ((p = strchr(pattern,'@')) == NULL)
-		return match_pattern(user, pattern);
+	if (strlen(pattern) < 1)
+		return 0;
 
+	if ((p = strchr(pattern + 1, '@')) == NULL)
+		return match_user_or_netgroup(user, pattern);
+
 	pat = xstrdup(pattern);
-	p = strchr(pat, '@');
+	p = strchr(pat + 1, '@');
 	*p++ = '\0';
 
-	if ((ret = match_pattern(user, pat)) == 1)
-		ret = match_host_and_ip(host, ipaddr, p);
+	if ((ret = match_user_or_netgroup(user, pat)) == 1)
+		ret = match_host_and_ip_or_netgroup(host, ipaddr, p);
 	xfree(pat);
 
 	return ret;

diff -ru openssh-4.7p1/sshd_config.5 openssh-4.7p1_pwo0/sshd_config.5
--- openssh-4.7p1/sshd_config.5	Mon Jun 11 00:07:13 2007
+++ openssh-4.7p1_pwo0/sshd_config.5	Mon Sep 17 16:04:55 2007
@@ -130,7 +130,10 @@
 By default, login is allowed for all users.
 If the pattern takes the form USER at HOST then USER and HOST
 are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS or LDAP
+is available and netgroup querying is built in, either USER and
+HOST can be the name of a netgroup of users or hosts, respectively,
+prefixed with a @. Then @myusers@@myhosts is a valid entry here.
 The allow/deny directives are processed in the following order:
 .Cm DenyUsers ,
 .Cm AllowUsers ,
@@ -268,8 +271,11 @@
 By default, login is allowed for all users.
 If the pattern takes the form USER at HOST then USER and HOST
 are separately checked, restricting logins to particular
-users from particular hosts.
-The allow/deny directives are processed in the following order:
+users from particular hosts. If NIS or LDAP is available and
+netgroup querying is built in, either USER and HOST can be the
+name of a netgroup of users or hosts, respectively, prefixed with
+the character @ . Then e.g. @myusers@@myhosts is a valid entry
+here. The allow/deny directives are processed in the following order:
 .Cm DenyUsers ,
 .Cm AllowUsers ,
 .Cm DenyGroups ,



---snip--snap-------------------------------------------------------------------