search for: denyusers

Hey everyone, After discussing the AllowGroups I think I've discovered a bug. The system is a solaris 8 system and the problem is that when I use AllowGroups with no AllowUsers args, the proper actions happen. Same with AllowUsers and no AllowGroups. When I try to combine the two, none of the Allow directives seem to take. Is it just me or maybe a bug? -James

https://bugzilla.mindrot.org/show_bug.cgi?id=1546 Summary: sshd_config DenyUsers does not recognize negated host properly Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P4 Component: sshd AssignedTo: unassigne...

...of user access control. Essentially, regular users should be able to login from any network, while root should be able to login only from a private network 192.168.88.0/22. Actually, for the purpose of sshd_config, this is four networks, but that's another story... Here is what I tried: DenyUsers root@!192.168.88.* Result: root can login from anywhere while I expected it to be allowed only from 192.168.88.0/24 So I ran a number of tests to see which will work correctly. DenyUsers root at 192.168.88.40 # I used this client Result: GOOD. root access denied from 192.168.88.40, allowed from...

Hi, I hope this is the right place for a feature request. I'd like to have more flexible AllowUsers/DenyUsers synax. I am in a situation, where I have machines connected to three networks (a private, high speed, a public, and a private vpn) and I'd like to enable root logins only on the private networks. Currently I see no way of doing this, because there is no way to specify a class that doe...

...In the sshd_config man page, I suggest you add a separate section to provide a summary of common access control methods. ACCESS CONTROL In sshd, the access controls are placed in the configuration file. The following example is a starting point for a simple access policy: PermitRootLogin no DenyUsers @* DenyGroups root AllowUsers user at 10.1.1.* # Local network AllowUsers user at 1.2.3.4 # External site 1 AllowUsers user at 76.209.1.162 # External site 2 Match group ssh-users AllowUsers * The PermitRootLogin directive prevents ne'er-do-wells from brute-force...

https://bugzilla.mindrot.org/show_bug.cgi?id=2292 Bug ID: 2292 Summary: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement...

Hello, I have attached a small patch that enables OpenSSH 4.7p1 to use netgroups for users and hosts entries in the AllowUsers and DenyUsers configuration options in sshd_config. This has the following advantages: * hostnames or ip addresses don't have to be maintained in sshd_config, but you can use meaningful names for groups of users and groups of hosts. * large scale installations can manage user groups and host groups in a c...

...y: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: alves at montecristogames.com --- Comment #0 from David Alves <alves at montecristogames.com> 2009-09-03 01:55:19 EST --- Hello, I found this strange behaviour When setting a user in the DenyUsers directive and then Matching it on a Match directive it does not work. I read the man 5 sshd-config : "If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the...

...ng > bungle on Void's part. Don't know about this one. Might install a VM to look at this if I get a chance. > On Debian testing: discovered a small-but-significant problem in auth.c's > allowed_user() function. Commit 010359b3 expanded the body of the loop that > checks DenyUsers entries, but didn't add the necessary braces around it, so > it didn't exactly have the intended effect, instead resulting in only the > last entry in DenyUsers actually being enforced. (Credit to gcc's > -Wmisleading-indentation warning here.) Nice find! Fixed. > The at...

...er "joe" belonging to group "joe" will be denied access based on his group. However, the sshd_config man page states that AllowUsers should be processed before DenyGroups, thereby allowing joe to log in: "... The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups." To reproduce: 1) Create a user 'test' and give him a password. 2) Add these lines in sshd_config: AllowUsers test DenyGroups test 3) Restart sshd. 4) Attempt to SSH in as user 'test'. 5) Check /var/log/auth.log. The attemp...

...l : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081216/fe35d5b5/attachment.bin -------------- next part -------------- Justification ------------- On a system running Red Hat Enterprise Linux 4, I wanted to use a configuration of the following form in sshd_config: DenyUsers oracle@!localhost.localdomain that would prevent user ``oracle'' from logging into the host from any host except the host itself (localhost). Rephrased, I want to allow logins to user ``oracle'' only by users who already are logged into the same host that has user ``oracle...

...a patch I contributed to ssh 1.2.23 in May 1998. I have missed the functionality after moving to OpenSSH so I have updated the patch and hope OpenSSH might accept it. The patch allows sshd_config to have lines like: AllowUsers root at localhost AllowUsers tridge@* AllowUsers guest at 192.168.2.* DenyUsers badguy@* etc. I found this useful for restricting users to only login from hostnames that they pre-arranged with me. Patch is against current cvs. Cheers, Tridge Index: auth.c =================================================================== RCS file: /cvs/openssh_cvs/auth.c,v retrieving re...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

...9;) ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ ! if (stat(shell, &st) != 0) return 0; ! if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) ! if (match_pattern(pw->pw_name, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users >...

...ed by spaces. With more than 6 or 7 patterns it starts wrapping on to multiple lines and gets hard to read, especially as the sshd_config file does not support backslash newline continuation. Searching the mailing list archives for AllowUsers, I came across a message which implies that multiple DenyUsers (which I assume works the same as AllowUsers) lines are permitted[0], and that they are equivalent to a single concatenated DenyUsers line. Further, using multiple AllowUsers directives appears to work. But I can find no mention of this behaviour in the man pages. So, is this guaranteed behavi...

Hey everyone, I have been using sftp for quite some time now and we have just hit 256 sftp users. Line 21 of servconf.h reads: #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ I am curious why this is in a header file and not something that is in sshd_config that can be changed without recompile? Thanks in advance! -- James Dennis Harvard Law School "Not

Hello all, on website http://sweb.cz/v_t_m/ the Auth selection patch is available. This patch allows to specify AllowUsers, DenyUsers for individual authentications (hostbased, publickey, password, keyboard-interactive, kerberos, kerberos_or_local, gss, securid-1 at ssh.com). By this you can define authentication methods for each user. All configuration options are mentioned in file sshd_config. Their usage is the same like wi...

...s AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to create another group just for ssh, something like ssh-admins. This other excerpt works as expected, at least for me: AllowGroups administrators DenyUsers johnadmin If johnadmin is part of the administrators group, he is still denied access. This all with openssh-3.8.1p1 on Linux.

I want to allow a single host root access via ssh. If the order of processing DenyUsers, AllowUsers were reversed this cold be done in a straight forward manner. My question, is would adding an Apache-like derective Order Deny,Allow violate any standards or be a security problem? _____ Douglas Denault http://www.safeport.com doug at safeport.com

The denyUsers / AllowUsers option in openSSH does not satisfy our needs. We want to supply our own software to allow/deny sessions based on time of day. I do not know if PAM can do this, but in any case we can not use PAM. ? Did someone do such a change in openSSH code