search for: match_pattern

...s digits and '.' + then match as a IP, otherwise match as a hostname + */ +static int match_host(const char *host, const char *ip, const char *pattern) +{ + const char *p; + for (p=pattern; *p; p++) { + if (!strchr("0123456789*?.", *p)) { + /* treat as a hostname */ + return match_pattern(host, pattern); + } + } + return match_pattern(ip, pattern); +} + + +/* this combines the effect of match_pattern on a username, hostname + and IP address. If the pattern contains a @ then the part preceding + the @ is checked against the username. The part after the @ is + checked against t...

...low_groups || options.num_control_deny_groups) + && !(egr = getgrgid(euid))) { + error("%s getgrgid failed: %s", __func__, strerror(errno)); + return -1; /* Fail, otherwise we might miss a deny pattern. */ + } + + for (i = 0; i < options.num_control_deny_users; i++) { + if (match_pattern(euidstr,options.control_deny_users[i]) + || (epw && match_pattern(epw->pw_name,options.control_deny_users[i]))) { + error("%s control mode uid denied: %s", __func__, options.control_deny_users[i]); + return 0; + } + } + + for (i = 0; i < options.num_control_deny_group...

Here is a better patch. Somehow I pasted an older version of my edits: ------------------------------------------------------- % diff ./match.c /home/millerig/osrc/openssh-7.2p2/match.c 121a122 > char *low_string = 0; 156,159c157,168 < if (match_pattern(string, sub)) { < if (negated) < return -1; /* Negative */ < else --- > if (dolower) { > u_int j; > if (low_string) free(low_string); > low_string = malloc(strlen(string) + 1); > for (j = 0; j < strlen(string); ++j) low_string[j] = tolower(string[...

...hell, &st) != 0) return 0; ! if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) ! if (match_pattern(pw->pw_name, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { --- 68,92 ---- shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if...

...ssh-4.7p1_pwo0/match.c --- openssh-4.7p1/match.c Fri Aug 4 22:39:40 2006 +++ openssh-4.7p1_pwo0/match.c Mon Sep 17 15:49:57 2007 @@ -204,6 +204,39 @@ } /* + * match user in @netgroup + */ +int +match_user_or_netgroup(const char *user, char *pattern) +{ + if(pattern[0] != '@') + return match_pattern(user, pattern); + +#ifdef HAVE_INNETGR + return innetgr(pattern + 1, NULL, user, NULL); +#else + return 0; +#endif +} + +/* + * match host in @netgroup + */ +int +match_host_and_ip_or_netgroup(const char *host, const char * ipaddr, char *pattern) +{ + if(pattern[0] != '@') + return match_h...

...sts", oHashKnownHosts }, + { "matchhostname", oMatchHostName }, { "tunnel", oTunnel }, { "tunneldevice", oTunnelDevice }, { "localcommand", oLocalCommand }, @@ -823,7 +824,9 @@ negated = *arg == '!'; if (negated) arg++; - if (match_pattern(host, arg)) { + if (match_pattern(host, arg) || + (options->match_host_name == 1 && &options->hostname != NULL && + match_pattern(options->hostname, arg))) { if (negated) { debug("%.200s line %d: Skipping Host " "block b...

...penssh-3.9p1.orig/match.c 2002-03-05 01:42:43.000000000 +0000 +++ openssh-3.9p1.jpmg/match.c 2005-01-20 10:11:24.690070417 +0000 @@ -43,16 +43,19 @@ /* * Returns true if the given string matches the pattern (which may contain ? * and * as wildcards), and zero if it does not match. */ int match_pattern(const char *s, const char *pattern) { + if (s == NULL) + return 0; + for (;;) { /* If at end of pattern, accept if also at end of string. */ if (!*pattern) return !*s; if (*pattern == '*') { /* Skip the asterisk. */ pattern++; @@ -217,16 +220,58 @@...

Hello, I added the support for netgroups to be used in the AllowUsers and DenyUsers parameters. This has some advantages: * hostnames or ip addresses need not to be written or maintained in the sshd_config file, but can be kept abstract names what also simplifies a bit largescale openssh installations * sshd_config needs not change and sshd be restarted when changing the list of allowed /

...in > Cygwin-specific code. Keep the generic code changes as small as possible. > Cygwin: implement case-insensitive Unicode user and group name matching Applied, thanks. I think it might be possible to make this less intrusive by adding a match_user_pattern_list() function that just calls match_pattern_list on Unix-alikes and the Cygwin specific function there. I'll take a look. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad j...

...trtok(NULL, WHITESPACE_EQ); if (!cp) fatal("%.200s line %d: Missing second argument.", filename, linenum); @@ -494,7 +495,7 @@ case oHost: *activep = 0; - while ((cp = strtok(NULL, WHITESPACE)) != NULL) + while ((cp = strtok(NULL, WHITESPACE_EQ)) != NULL) if (match_pattern(host, cp)) { debug("Applying options for %.100s", cp); *activep = 1; @@ -505,7 +506,7 @@ case oEscapeChar: intptr = &options->escape_char; - cp = strtok(NULL, WHITESPACE); + cp = strtok(NULL, WHITESPACE_EQ); if (!cp) fatal("%.200s line %d: Missing arg...

...s as small as possible. > > > Cygwin: implement case-insensitive Unicode user and group name matching > > > > Applied, thanks. > > > > I think it might be possible to make this less intrusive by adding a > > match_user_pattern_list() function that just calls match_pattern_list > > on Unix-alikes and the Cygwin specific function there. I'll take a > > look. > > How's this? If we push the match_usergroup_pattern_list() function up > to OpenBSD it should mean most future diffs will apply cleanly. I like this a lot. But that also means...

...are: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mmendez534 at gmail.com Matching of Host values are limited to shell type globbing via `match_pattern`, but I'd like to be able to match via CIDR. I've hacked up an implementation that pulls out much of the logic from `addr_match_cidr_list` and uses that. If there is interest in this, then I will polish it up and submit the the mailing list for discussion. -- You are receiving this mail...

...s to user ``oracle'' only by users who already are logged into the same host that has user ``oracle''. The above construct fails in OpenSSH, and I traced the failure to the absence of code handling this case in an ``if'' statement (that checks the result of function ``match_pattern'') near the end of the main ``for'' loop in function ``match_pattern_list'' in file ``match.c''. The diff above is an example of code to handle this case. The meaning of this new code is the following: - If a string fails to match the subpattern of the configu...

...(i = 0; !found && i < npatterns; i++) { + name_pattern = xstrdup(patterns[i]); + host_pattern = strchr(name_pattern, '@'); + if (host_pattern) + *host_pattern++ = '\0'; + for (j = 0; !found && j < ngroups; j++) + if (match_pattern(groups_byname[j], name_pattern)) + found = !host_pattern || + match_host_and_ip(hostname, ipaddr, host_pattern); + xfree(name_pattern); + } + return found; +} +#endif /* GROUP_MATCH_HOST_AND_IP */ /* * Free memory allocated for group access list...

..._type ? a->name_type : ""); + debug3("key_match: b->name_type == %s", b->name_type ? b->name_type : ""); + return 0; + } + + debug3("key_match: trying to match %s WITH %s", a->name, b->name); + if (a->type == KEY_NAME_PAT) + return match_pattern(b->name, a->name); + else + return match_pattern(a->name, b->name); +} + static u_char* key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length) @@ -161,7 +226,7 @@ EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; - int len = 0; + u_int len = 0;...

..._type ? a->name_type : ""); + debug3("key_match: b->name_type == %s", b->name_type ? b->name_type : ""); + return 0; + } + + debug3("key_match: trying to match %s WITH %s", a->name, b->name); + if (a->type == KEY_NAME_PAT) + return match_pattern(b->name, a->name); + else + return match_pattern(a->name, b->name); +} + u_char* key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length) @@ -160,7 +229,7 @@ EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; - int len = 0; + u_int len = 0; int...

...he HostKeys pointing to the old key types (RSA1). I found in my sshd_config such a line and after updating OpenSSH I was unable to connect: HostKey /etc/ssh/ssh_host_key Removing the above line will make sshd work again. GDB traceback: Program received signal SIGSEGV, Segmentation fault. #0 match_pattern (s=s at entry=0x0, pattern=pattern at entry=0x7fffffffd520 "ecdsa-sha2-nistp256-cert-v01 at openssh.com") at match.c:98 #1 0x00005555555a7af3 in match_pattern_list (string=0x0, pattern=pattern at entry=0x555555831aa0 "ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-...

Windows usernames are case-insensitive and almost any Unicode character is allowed in a username. The user should be able to login with her username given in any case and not be refused. However, this opens up a security problem in terms of the sshd_config Match rules. The match rules for user and group names have to operate case-insensitive as well, otherwise the user can override her settings

...", (int)(cp - env), env); + if (ret <= 0 || (size_t)ret >= sizeof(name)) { + error("env_permitted: name '%.100s...' too long", env); return 0; } - /* XXX handle asynchronously */ - unset_nonblock(client_fd); + for (i = 0; i < options.num_send_env; i++) + if (match_pattern(name, options.send_env[i])) + return 1; - /* Read command */ - buffer_init(&m); - if (ssh_msg_recv(client_fd, &m) == -1) { - error("%s: client msg_recv failed", __func__); - close(client_fd); - buffer_free(&m); - return 0; - } - if ((ver = buffer_get_char(&m)) != S...