search for: allowuser

Hey everyone, After discussing the AllowGroups I think I've discovered a bug. The system is a solaris 8 system and the problem is that when I use AllowGroups with no AllowUsers args, the proper actions happen. Same with AllowUsers and no AllowGroups. When I try to combine the two, none of the Allow directives seem to take. Is it just me or maybe a bug? -James

Markus, ignore the other stuff I sent.. I need to go back to bed and stop trying to code.. <sigh> For everone else.. Will this make everyone happy? This does the follow. it will always honor AllowUsers. If there is no Allow/DenyGroups it stated they are not in allowUsers. IF there are AllowDenyGroups it tries them. And then stated they are not in either AllowUsers nor AllowGroups since PErmitRootLogin is not handled in auth.c:allowed_users() I will not try to add that logic. I still believe...

..., allowed from other places. DenyUsers root at 192.168.88.* Result: GOOD. root access denied from 192.168.88.0/24, allowed from other places. DenyUsers root@!192.168.88.44 Result: BAD. root can login from 192.168.88.40, or anywhere else So it seems the negation does not work. Continued tests: AllowUsers root at 192.168.88.* Result: GOOD. root can login only from 192.168.88.0/24. AllowUsers root@!192.168.88.44 Result: BAD. root cannot login from anywhere. In fact, no one can. AllowUsers root@!192.168.88.* Result: BAD. root cannot login from anywhere. In fact, no one can. AllowUsers root at 19...

https://bugzilla.mindrot.org/show_bug.cgi?id=1690 Summary: AllowUsers and DenyGroups directives are not parsed in the order specified Product: Portable OpenSSH Version: 5.3p1 Platform: ix86 OS/Version: Linux Status: NEW Keywords: patch Severity: trivial Priority: P2...

Hi, I hope this is the right place for a feature request. I'd like to have more flexible AllowUsers/DenyUsers synax. I am in a situation, where I have machines connected to three networks (a private, high speed, a public, and a private vpn) and I'd like to enable root logins only on the private networks. Currently I see no way of doing this, because there is no way to specify a class...

Hello, I've trawled archives looking for changes in the "AllowUsers" option, manuals, changes log, reported bugs and to my surprise I can't find anything or anyone that has reported the issues that I am experiencing. I am using the default installation sshd_config file as supplied by Redhat and the only options I have changed are: ListenAddress AllowUser...

It seems the syntax for AllowUsers in sshd_config is not the same that is given in man sshd_config and in several documentation on the web. (http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config) e.g. AllowUsers root does work. AllowUsers root username does not work. If I try to login as root I get "User root from &l...

Hi list! I have some machines running openssh 3.9p1. AllowUsers is set to my users, that are allowed to login. If I set PermitRoot without-password, but do not include root in AllowUsers, root is not able to login with pubkey. I do not want to set root in AllowUsers, since the without-password option should check this allready, I think... So I made a small pat...

...gest you add a separate section to provide a summary of common access control methods. ACCESS CONTROL In sshd, the access controls are placed in the configuration file. The following example is a starting point for a simple access policy: PermitRootLogin no DenyUsers @* DenyGroups root AllowUsers user at 10.1.1.* # Local network AllowUsers user at 1.2.3.4 # External site 1 AllowUsers user at 76.209.1.162 # External site 2 Match group ssh-users AllowUsers * The PermitRootLogin directive prevents ne'er-do-wells from brute-force attacking your root password. The...

...info/?l=openssh-unix-dev&m=132311628508429&w=2 Like him, I'm using 5.3p1 as packaged in CentOS 6.3. Secondly the Allow/Deny logic is downright tortured. I looked back and again didn't come across any good discussion as to why it was written that way. It should not be necessary for AllowUsers to be the superset of AllowGroups. As Spock would say "it is illogical." If you had to write PF rules like that you'd go crazy. That's why most people use first-match logic. Per the manpage, if the logic is DenyUsers > AllowUsers > DenyGroups > AllowGroups, then there h...

...opment account (and easy sudo). I don't want this account exposed on the internet side of the firewall, so I created a doorstep account with no perms and really long passwords to get anywhere useful. I looked through the SSH book and it gave me the impression that I could set up these rules: AllowUsers wiz@*.myhouse.nat AllowUsers doorstep@* But when I tested it was clear that OpenSSH 2.9 doesn't support this syntax. Then I searched this list and I found a post from June 4 by Andrew Tridgell supplying a patch to provide exactly this functionality. Actually I initially thought there might...

Hi, I've just been adding a few extra hosts to my sshd_config's AllowUsers, and it's got a bit unwieldy. As far as I can tell from the sshd_config(5) and ssh_config(5) man pages, the *only* way to specify multiple AllowUsers patterns is on a single line, separated by spaces. With more than 6 or 7 patterns it starts wrapping on to multiple lines and gets hard to...

...I wanted to use the AllowGroups facility to allow users in by group instead of listing individual usernames but also allow root only from a single central host. Setup actions: targetusername on target host has a secondary group entry of "staff". Updated sshd_config to add the lines: AllowUsers root at nimsrvr AllowGroups staff targertusername is NOT listed in AllowUsers Stopped and started sshd Attempted to ssh from another host as "ssh targetusername at targethost date" I always get the syslog message "user X from Y not allowed because not listed in AllowUsers. T...

Hey, After discussing the limit of MAX_ALLOW_USERS I've been trying to use AllowGroups instead. In the config file I have the AllowUsers lines before the AllowGroups lines (I have tried both ways) and it appears that the presence on the AllowGroups directives seems to blow away any Allow* directives I have set. I'm not sure how to check further for bugs so I figured I'd contact you guys. When I simply comment out the A...

This is a port of a patch I contributed to ssh 1.2.23 in May 1998. I have missed the functionality after moving to OpenSSH so I have updated the patch and hope OpenSSH might accept it. The patch allows sshd_config to have lines like: AllowUsers root at localhost AllowUsers tridge@* AllowUsers guest at 192.168.2.* DenyUsers badguy@* etc. I found this useful for restricting users to only login from hostnames that they pre-arranged with me. Patch is against current cvs. Cheers, Tridge Index: auth.c ====================================...

https://bugzilla.mindrot.org/show_bug.cgi?id=2384 Bug ID: 2384 Summary: AllowUsers doesn't allow users sssd domain users with @ in Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd...

While testing some AllowUsers and AllowGroups combinations I was surprised to find that one cannot be used to override the other. For example: AllowGroups administrators AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to creat...

A short while ago, I looked at using the AllowUsers configuration option in openssh (v3.8p1 , but I believe this to be unchanged in 3.9p1) to restrict access such that only specific remote machines could access specific local accounts. I swiftly discovered that a) specifying wildcarded IP numbers to try to allow a useful IP range was pointless...

...logging in as "usEr" is exactly the same as logging in with "USer" as well as the other fourteen possible combinations for a four-letter username. ?Further, only the all-lowercase version invokes "start.sh." I thought I might be able to solve this with the following. AllowUsers user I thought this would force sshd to only let one case combination through. ?However, all case combinations can still log in and "start.sh" is not getting executed. ?In other words, there is a discrepancy between "Match User" and "AllowUsers" in this regard. Doe...

...l OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Our customer got into problems using AllowGroup in combination with AllowUsers, because documentation in this part is little bit unclear. Original problem is that when you use AllowUsers in combination with AllowGroups, only users who are specified in AllowUsers AND some of their group is in AllowGroups can login. Minimal test case: /etc/ssh/sshd_config >AllowUsers user...