search for: denygroups

https://bugzilla.mindrot.org/show_bug.cgi?id=1690 Summary: AllowUsers and DenyGroups directives are not parsed in the order specified Product: Portable OpenSSH Version: 5.3p1 Platform: ix86 OS/Version: Linux Status: NEW Keywords: patch Severity: trivial Priority: P2 Compon...

http://bugzilla.mindrot.org/show_bug.cgi?id=999 Summary: AllowGroups ,DenyGroups failed to report hostname Product: Portable OpenSSH Version: 4.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org Report...

http://bugzilla.mindrot.org/show_bug.cgi?id=1298 Summary: Use of Allow/DenyGroups leads to slow login Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedB...

https://bugzilla.mindrot.org/show_bug.cgi?id=2292 Bug ID: 2292 Summary: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5...

http://bugzilla.mindrot.org/show_bug.cgi?id=1298 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2007-05-20 16:59:07 ---

...ig man page, I suggest you add a separate section to provide a summary of common access control methods. ACCESS CONTROL In sshd, the access controls are placed in the configuration file. The following example is a starting point for a simple access policy: PermitRootLogin no DenyUsers @* DenyGroups root AllowUsers user at 10.1.1.* # Local network AllowUsers user at 1.2.3.4 # External site 1 AllowUsers user at 76.209.1.162 # External site 2 Match group ssh-users AllowUsers * The PermitRootLogin directive prevents ne'er-do-wells from brute-force attacking your ro...

...return 0; } if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ ! if (ga_init(pw->pw_name, pw->pw_gid) == 0) return 0; /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) --- 94,112 ---- if (match_pattern(pw->pw_name, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ ! if (i >= options.num_allow_users) { ! log("User %.100s not allowed because not listed...

...It should not be necessary for AllowUsers to be the superset of AllowGroups. As Spock would say "it is illogical." If you had to write PF rules like that you'd go crazy. That's why most people use first-match logic. Per the manpage, if the logic is DenyUsers > AllowUsers > DenyGroups > AllowGroups, then there has to be a immediate stop to the logic chain at each stage. if $user ~= %DenyUsers; then ( deny; return ) if $user ~= %AllowUsers; then { allow; return ) if $user member of %DenyGroups; then (deny; return ) if $user member of %AllowGroups; then (allow; return ) if (%A...

...right -------------- diff -r -u -N openssh-4.7p1/auth.c osshGroupHostIP-4.7p1/auth.c --- openssh-4.7p1/auth.c 2007-03-26 09:35:28.000000000 -0700 +++ osshGroupHostIP-4.7p1/auth.c 2007-11-02 14:52:58.000000000 -0700 @@ -210,8 +210,13 @@ /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) +#ifndef GROUP_MATCH_HOST_AND_IP if (ga_match(options.deny_groups, options.num_deny_groups)) { +#else /* GROUP_MATCH_HOST_AND_IP */ + if (ga_match_host_and_ip(options.deny_groups, + options.num_deny_groups, hostname, ipaddr)) { +#endif /...

...ieving revision 1.249 diff -u -p -u -r1.249 servconf.c --- servconf.c 29 Jan 2014 06:18:35 -0000 1.249 +++ servconf.c 6 Jun 2014 08:04:06 -0000 @@ -399,8 +399,8 @@ static struct { { "denyusers", sDenyUsers, SSHCFG_ALL }, { "allowgroups", sAllowGroups, SSHCFG_ALL }, { "denygroups", sDenyGroups, SSHCFG_ALL }, - { "ciphers", sCiphers, SSHCFG_GLOBAL }, - { "macs", sMacs, SSHCFG_GLOBAL }, + { "ciphers", sCiphers, SSHCFG_ALL }, + { "macs", sMacs, SSHCFG_ALL }, { "protocol", sProtocol, SSHCFG_GLOBAL }, { "gatewayport...

Hey everyone, After discussing the AllowGroups I think I've discovered a bug. The system is a solaris 8 system and the problem is that when I use AllowGroups with no AllowUsers args, the proper actions happen. Same with AllowUsers and no AllowGroups. When I try to combine the two, none of the Allow directives seem to take. Is it just me or maybe a bug? -James

...ps (i.e. don't apply if the person is a member of the named group). The following patch adds this functionality. A small change to wording on line 534 of servconf.c is also in order, but I haven't added that. I also did not check to see if this causes any major headaches with AllowGroups or DenyGroups, which also use the modified function (ga_match), but I don't believe it should. The one assumption which should be spelled out is that if you get a negation match, that is a breaker which causes further matching to stop. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=em...

...sion tests * Portable OpenSSH: - OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to IPv4 addresses. This means that IPv4 addresses in log messages on IPv6 enabled machines will no longer be prefixed by "::ffff:" and AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only for 4-in-6 mapped connections. This ensures a consistent representation of IPv4 addresses regardless of whether or not the machine is IPv6 enabled. * Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006, #1024, and #1038 Chan...

Markus, ignore the other stuff I sent.. I need to go back to bed and stop trying to code.. <sigh> For everone else.. Will this make everyone happy? This does the follow. it will always honor AllowUsers. If there is no Allow/DenyGroups it stated they are not in allowUsers. IF there are AllowDenyGroups it tries them. And then stated they are not in either AllowUsers nor AllowGroups since PErmitRootLogin is not handled in auth.c:allowed_users() I will not try to add that logic. I still believe it should be true. Diff against -...

...sion tests * Portable OpenSSH: - OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to IPv4 addresses. This means that IPv4 addresses in log messages on IPv6 enabled machines will no longer be prefixed by "::ffff:" and AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only for 4-in-6 mapped connections. This ensures a consistent representation of IPv4 addresses regardless of whether or not the machine is IPv6 enabled. * Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006, #1024, and #1038 Chan...

...a/servconf.c Mon Jun 24 23:22:04 2002 +++ openssh-3.4p1/servconf.c Wed Jul 3 11:23:26 2002 @@ -292,7 +292,7 @@ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sKeepAlives, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sAllowUsers, sDenyUsers, sChrootUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sVerifyReverseMapping, sHostbasedAuthentication, @@ -360,6 +360,7 @@...

...ication for OpenSSH 3.6.1p2. This patch was totaly rewritten, so please test it before use. Kbd-int authentication is now integrated into challenge response auth. Privsep is now fully suported. PS: What do you think of selective access to the individual authentications, similar to AllowGroups/DenyGroups or maybe AllowUsers/DenyUsers ? Vaclav Tomec http://sweb.cz/v_t_m/ ______________________________________________________________________ Reklama: Tolik v?c? a v?hod jako od Contactel Bonus Clubu jen tak nez?sk?te http://ad2.seznam.cz/redir.cgi?instance=55052%26url=http://club.razdva.cz/

..._debug_init; +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +extern char *aixexpiremsg; +extern int aix_password_change_required; +#endif + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -202,19 +208,39 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n...

...sshd_config >AllowUsers user >AllowGroups othergroup user:user can NOT log in /etc/ssh/sshd_config >AllowUsers otheruser >AllowGroups user user:user can NOT log in Manual page states: > ".. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups." There is not mentioned what happens, if you succeed with User. If the chain continues to Groups tests or not. This should be clear not to confuse users. In spite of all the other bugs related to similar issue (#2292, #1690) I would say that this should be properly d...

https://bugzilla.mindrot.org/show_bug.cgi?id=1081 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1144 is|0 |1 obsolete| | --- Comment #3 from Darren Tucker <dtucker at