openssh unix dev - Dec 2008 - Request change to file match.c, function match_pattern_list

Greetings,

This request is in the grey area between a bug report and an  
enhancement request.



Request
-------

Please apply the following diff (or something functionally similar) to  
file ``match.c'' in OpenSSH-5.1p1:

161a162,164
 > 		} else {
 > 			if (negated)
 > 				got_positive = 1;	/* Negative match, negated = Positive */

In case the lines above wrapped in the email transmission, the diff is  
attached as a .gz file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: match.c.diff.gz
Type: application/x-gzip
Size: 104 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081216/fe35d5b5/attachment.bin
-------------- next part --------------





Justification
-------------

On a system running Red Hat Enterprise Linux 4, I wanted to use a  
configuration of the following form in sshd_config:

   DenyUsers oracle@!localhost.localdomain

that would prevent user ``oracle'' from logging into the host from any  
host except the host itself (localhost).  Rephrased, I want to allow  
logins to user ``oracle'' only by users who already are logged into  
the same host that has user ``oracle''.

The above construct fails in OpenSSH, and I traced the failure to the  
absence of code handling this case in an ``if'' statement (that checks  
the result of function ``match_pattern'') near the end of the main  
``for'' loop in function ``match_pattern_list'' in file
``match.c''.
The diff above is an example of code to handle this case.

The meaning of this new code is the following:

- If a string fails to match the subpattern of the configuration, then  
execution will flow into ``else'' branch.

- Normally, the failure of a match is a failure (``got_positive''  
retains its initialized value of zero).

- However, where a failure is desired (the ``!'' in the specification  
subpattern), then the occurrence of a failure is a ``success'', so  
``got_positive'' should be set to one.

Initially, I was working with OpenSSH-3.9p1, but I see that the code  
remains consistent through OpenSSH-5.1p1, so I am reporting this  
change request relative to the newer version.



Respectfully,
Eric Sisson
-- 
Eric M. Sisson, Systems Analyst III               email: ems at mdacc.tmc.edu
Clinical Research Information Systems - Box 237   voice: 713-792-2629
University of Texas M. D. Anderson Cancer Center    fax: 713-745-0615
1515 Holcombe Boulevard
Houston, Texas  77030-4009

Circa 2008-12-16 14:48 dixit Eric Sisson:

: This request is in the grey area between a bug report and an  
: enhancement request.

Probably best to file this in the OpenSSH Bugzilla:

    http://www.openssh.com/report.html
    (and follow the "Bugzilla" link).

This may avoid your report getting lost amid mailing list noise.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA  >>>>>> 
http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+

On Tue, Dec 16, 2008 at 13:48:36 -0600, Eric Sisson
wrote:
>
> On a system running Red Hat Enterprise Linux 4, I wanted to use a  
> configuration of the following form in sshd_config:
>
>   DenyUsers oracle@!localhost.localdomain
>
You might want to try this instead:

	DenyUsers oracle@*,!localhost.localdomain

-- 
Iain Morgan