Displaying 20 results from an estimated 54 matches for "denygroup".
Did you mean:
denygroups
2009 Dec 29
2
[Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1690
Summary: AllowUsers and DenyGroups directives are not parsed in
the order specified
Product: Portable OpenSSH
Version: 5.3p1
Platform: ix86
OS/Version: Linux
Status: NEW
Keywords: patch
Severity: trivial
Priority: P2
Compo...
2005 Mar 14
6
[Bug 999] AllowGroups ,DenyGroups failed to report hostname
http://bugzilla.mindrot.org/show_bug.cgi?id=999
Summary: AllowGroups ,DenyGroups failed to report hostname
Product: Portable OpenSSH
Version: 4.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
Repor...
2007 Mar 15
0
[Bug 1298] Use of Allow/DenyGroups leads to slow login
http://bugzilla.mindrot.org/show_bug.cgi?id=1298
Summary: Use of Allow/DenyGroups leads to slow login
Product: Portable OpenSSH
Version: -current
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
Reported...
2014 Oct 10
1
[Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
https://bugzilla.mindrot.org/show_bug.cgi?id=2292
Bug ID: 2292
Summary: sshd_config(5): DenyUsers, AllowUsers, DenyGroups,
AllowGroups should actually tell how the evaluation
order matters
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5...
2007 May 20
0
[Bug 1298] Use of Allow/DenyGroups leads to slow login
http://bugzilla.mindrot.org/show_bug.cgi?id=1298
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2007-05-20 16:59:07 ---
2020 Jul 18
2
[Bug 3193] New: Add separate section in sshd_config man page on Access Control
...ig man page, I suggest you add a separate section to
provide a summary of common access control methods.
ACCESS CONTROL
In sshd, the access controls are placed in the configuration file. The
following example is a starting point for a simple access policy:
PermitRootLogin no
DenyUsers @*
DenyGroups root
AllowUsers user at 10.1.1.* # Local network
AllowUsers user at 1.2.3.4 # External site 1
AllowUsers user at 76.209.1.162 # External site 2
Match group ssh-users
AllowUsers *
The PermitRootLogin directive prevents ne'er-do-wells from brute-force
attacking your r...
2001 Jun 18
2
Patch for changing expired passwords
...return 0;
}
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
/* Get the user's group access list (primary and supplementary) */
! if (ga_init(pw->pw_name, pw->pw_gid) == 0)
return 0;
/* Return false if one of user's groups is listed in DenyGroups */
if (options.num_deny_groups > 0)
--- 94,112 ----
if (match_pattern(pw->pw_name, options.allow_users[i]))
break;
/* i < options.num_allow_users iff we break for loop */
! if (i >= options.num_allow_users) {
! log("User %.100s not allowed because not liste...
2012 Aug 10
1
AllowUsers "logic" and failure to indicate bad configuration
...It should not be necessary for AllowUsers to be the superset of
AllowGroups. As Spock would say "it is illogical." If you had to write PF
rules like that you'd go crazy. That's why most people use first-match
logic.
Per the manpage, if the logic is DenyUsers > AllowUsers > DenyGroups >
AllowGroups, then there has to be a immediate stop to the logic chain at
each stage.
if $user ~= %DenyUsers; then ( deny; return )
if $user ~= %AllowUsers; then { allow; return )
if $user member of %DenyGroups; then (deny; return )
if $user member of %AllowGroups; then (allow; return )
if (%...
2007 Nov 02
1
[Patch, enh] Permit host and IP addresses in (Allow|Deny)Groups
...right
--------------
diff -r -u -N openssh-4.7p1/auth.c osshGroupHostIP-4.7p1/auth.c
--- openssh-4.7p1/auth.c 2007-03-26 09:35:28.000000000 -0700
+++ osshGroupHostIP-4.7p1/auth.c 2007-11-02 14:52:58.000000000
-0700
@@ -210,8 +210,13 @@
/* Return false if one of user's groups is listed in
DenyGroups */
if (options.num_deny_groups > 0)
+#ifndef GROUP_MATCH_HOST_AND_IP
if (ga_match(options.deny_groups,
options.num_deny_groups)) {
+#else /* GROUP_MATCH_HOST_AND_IP */
+ if (ga_match_host_and_ip(options.deny_groups,
+ options.num_deny_groups, hostname, ipaddr))
{
+#endif...
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
...ieving revision 1.249
diff -u -p -u -r1.249 servconf.c
--- servconf.c 29 Jan 2014 06:18:35 -0000 1.249
+++ servconf.c 6 Jun 2014 08:04:06 -0000
@@ -399,8 +399,8 @@ static struct {
{ "denyusers", sDenyUsers, SSHCFG_ALL },
{ "allowgroups", sAllowGroups, SSHCFG_ALL },
{ "denygroups", sDenyGroups, SSHCFG_ALL },
- { "ciphers", sCiphers, SSHCFG_GLOBAL },
- { "macs", sMacs, SSHCFG_GLOBAL },
+ { "ciphers", sCiphers, SSHCFG_ALL },
+ { "macs", sMacs, SSHCFG_ALL },
{ "protocol", sProtocol, SSHCFG_GLOBAL },
{ "gatewaypor...
2003 Feb 12
1
((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Hey everyone,
After discussing the AllowGroups I think I've discovered a bug.
The system is a solaris 8 system and the problem is that when I use
AllowGroups with no AllowUsers args, the proper actions happen. Same
with AllowUsers and no AllowGroups. When I try to combine the two, none
of the Allow directives seem to take.
Is it just me or maybe a bug?
-James
2007 May 17
7
[Bug 1315] New: Match Group does not support negation
...ps (i.e. don't apply if the person is a member of the named group).
The following patch adds this functionality. A small change to wording
on line 534 of servconf.c is also in order, but I haven't added that. I
also did not check to see if this causes any major headaches with
AllowGroups or DenyGroups, which also use the modified function
(ga_match), but I don't believe it should. The one assumption which
should be spelled out is that if you get a negation match, that is a
breaker which causes further matching to stop.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=e...
2005 May 26
1
OpenSSH 4.1 released
...sion tests
* Portable OpenSSH:
- OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to
IPv4 addresses. This means that IPv4 addresses in log messages on IPv6
enabled machines will no longer be prefixed by "::ffff:" and AllowUsers,
DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only
for 4-in-6 mapped connections. This ensures a consistent representation
of IPv4 addresses regardless of whether or not the machine is IPv6
enabled.
* Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006,
#1024, and #1038
Cha...
2003 Feb 16
2
AllowUsers Change
Markus, ignore the other stuff I sent.. I need to go back to bed and stop
trying to code.. <sigh>
For everone else.. Will this make everyone happy?
This does the follow.
it will always honor AllowUsers.
If there is no Allow/DenyGroups it stated they are not in allowUsers. IF
there are AllowDenyGroups it tries them. And then stated they are not in
either AllowUsers nor AllowGroups
since PErmitRootLogin is not handled in auth.c:allowed_users() I will not
try to add that logic. I still believe it should be true.
Diff against...
2005 May 26
4
OpenSSH 4.1 released
...sion tests
* Portable OpenSSH:
- OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to
IPv4 addresses. This means that IPv4 addresses in log messages on IPv6
enabled machines will no longer be prefixed by "::ffff:" and AllowUsers,
DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only
for 4-in-6 mapped connections. This ensures a consistent representation
of IPv4 addresses regardless of whether or not the machine is IPv6
enabled.
* Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006,
#1024, and #1038
Cha...
2002 Jul 04
4
Chroot patch (v3.4p1)
...a/servconf.c Mon Jun 24 23:22:04 2002
+++ openssh-3.4p1/servconf.c Wed Jul 3 11:23:26 2002
@@ -292,7 +292,7 @@
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sStrictModes, sEmptyPasswd, sKeepAlives,
sUseLogin, sAllowTcpForwarding, sCompression,
- sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+ sAllowUsers, sDenyUsers, sChrootUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
@@ -360,6 +360,7 @...
2003 Jun 10
2
SecurID authentication for 3.6.1p2 with privsep
...ication for OpenSSH 3.6.1p2.
This patch was totaly rewritten, so please test it before use.
Kbd-int authentication is now integrated into challenge response
auth.
Privsep is now fully suported.
PS: What do you think of selective access to the individual
authentications, similar to AllowGroups/DenyGroups or maybe
AllowUsers/DenyUsers ?
Vaclav Tomec
http://sweb.cz/v_t_m/
______________________________________________________________________
Reklama:
Tolik v?c? a v?hod jako od Contactel Bonus Clubu jen tak nez?sk?te http://ad2.seznam.cz/redir.cgi?instance=55052%26url=http://club.razdva.cz/
2002 Oct 13
1
[PATCH] AIX password expiration
..._debug_init;
+#ifdef WITH_AIXAUTHENTICATE
+void aix_remove_embedded_newlines(char *);
+extern char *aixexpiremsg;
+extern int aix_password_change_required;
+#endif
+
/*
* Check if the user is allowed to log in via ssh. If user is listed
* in DenyUsers or one of user's groups is listed in DenyGroups, false
@@ -202,19 +208,39 @@
}
#ifdef WITH_AIXAUTHENTICATE
- if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
- if (loginmsg && *loginmsg) {
- /* Remove embedded newlines (if any) */
- char *p;
- for (p = loginmsg; *p; p++) {
- if (*p == '\n...
2015 Apr 28
0
[Bug 2391] New: Enhance AllowGroups documentation in man page
...sshd_config
>AllowUsers user
>AllowGroups othergroup
user:user can NOT log in
/etc/ssh/sshd_config
>AllowUsers otheruser
>AllowGroups user
user:user can NOT log in
Manual page states:
> ".. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups."
There is not mentioned what happens, if you succeed with User. If the
chain continues to Groups tests or not. This should be clear not to
confuse users.
In spite of all the other bugs related to similar issue (#2292, #1690)
I would say that this should be properly...
2007 Dec 31
2
[Bug 1081] AIX port does not support group allow/ deny via nss_ldap
https://bugzilla.mindrot.org/show_bug.cgi?id=1081
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1144 is|0 |1
obsolete| |
--- Comment #3 from Darren Tucker <dtucker at