Hi there, I have just compiled openssh-5.0 on Solaris 10, and am trying to set up a certain pattern of user access control. Essentially, regular users should be able to login from any network, while root should be able to login only from a private network 192.168.88.0/22. Actually, for the purpose of sshd_config, this is four networks, but that's another story... Here is what I tried: DenyUsers root@!192.168.88.* Result: root can login from anywhere while I expected it to be allowed only from 192.168.88.0/24 So I ran a number of tests to see which will work correctly. DenyUsers root at 192.168.88.40 # I used this client Result: GOOD. root access denied from 192.168.88.40, allowed from other places. DenyUsers root at 192.168.88.* Result: GOOD. root access denied from 192.168.88.0/24, allowed from other places. DenyUsers root@!192.168.88.44 Result: BAD. root can login from 192.168.88.40, or anywhere else So it seems the negation does not work. Continued tests: AllowUsers root at 192.168.88.* Result: GOOD. root can login only from 192.168.88.0/24. AllowUsers root@!192.168.88.44 Result: BAD. root cannot login from anywhere. In fact, no one can. AllowUsers root@!192.168.88.* Result: BAD. root cannot login from anywhere. In fact, no one can. AllowUsers root at 192.168.88.* !root@* Result: BAD. root can login only from 192.168.88.0/24 but other users cannot login at all. AllowUsers !root@* Result: BAD. No one can login from anywhere AllowUsers !root Result: BAD. No one can login from anywhere Conclusion: Negation (!) does not work for either `user' or `address'. Am I doing something wrong, or is this truly broken? If more information is needed, I will be happy to provide it. Regards, Andy Dr Andy Tsouladze Sr Unix SysAdmin/System Architect United Airlines
On Thu, May 08, 2008 at 11:42:23PM -0500, Andy Tsouladze wrote:> Essentially, regular users should be able to login from any > network, while root should be able to login only from a private > network 192.168.88.0/22.> AllowUsers root at 192.168.88.* !root@* > Result: BAD. root can login only from 192.168.88.0/24 but other > users cannot login at all.What if you change the order and/or space to a comma? AllowUsers !root@*,root at 192.168.88.* You could also try using Match. //Peter
On Fri, 9 May 2008, Peter Stuge wrote:> On Thu, May 08, 2008 at 11:42:23PM -0500, Andy Tsouladze wrote: >> Essentially, regular users should be able to login from any >> network, while root should be able to login only from a private >> network 192.168.88.0/22. > >> AllowUsers root at 192.168.88.* !root@* >> Result: BAD. root can login only from 192.168.88.0/24 but other >> users cannot login at all. > > What if you change the order and/or space to a comma? > > AllowUsers !root@*,root at 192.168.88.*Tried it - does not make a difference. Besides, even AllowUsers !root@* alone does not work. I was not able to find a single instance where negation would work.> You could also try using Match.Great idea! It does seem to accomplish what I need, but I have to use multiple Match lines, like this: PermitRootLogin no Match Address 192.168.89.* PermitRootLogin yes Match Address 192.168.88.* PermitRootLogin yes ... BTW, negation does not work within Match block either... Thanks a lot, Andy Dr Andy Tsouladze Sr Unix SysAdmin/System Architect United Airlines
Possibly Parallel Threads
- more flexible AllowUsers/DenyUsers syntax
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- OpenSSH 4.7p1 - support the use of netgroups in AllowUsers and DenyUsers configuration options
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- AllowUsers "logic" and failure to indicate bad configuration