search for: match_user

...ecked against the hostname and IP address. If no @ is found then + a normal match_pattern is done against the username + + This is more useful than just a match_pattern as it allows you to + specify exactly what users are alowed to login from what hosts + (tridge, May 1998) +*/ +static int match_user(const char *user, const char *host, const char *ip, + const char *pattern) +{ + int ret; + char *p2; + char *p; + + p = strchr(pattern,'@'); + + if (!p) return match_pattern(user, pattern); + + p2 = xstrdup(pattern); + p = strchr(p2, '@'); + + *p = 0; + + ret = match_patt...

...105,15 +105,16 @@ return 0; } } - /* Return false if AllowUsers isn't empty and user isn't listed there */ + /* Return true if person in AllowUsers, otherwise try the group test */ if (options.num_allow_users > 0) { for (i = 0; i < options.num_allow_users; i++) if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) - break; - /* i < options.num_allow_users iff we break for loop */ - if (i >= options.num_allow_users) { - log("User %.100s not allowed because not listed in AllowUsers", + goto success; + + if (options.nu...

...t; 0 || + options.num_allow_users_ipaddr > 0 ) { hostname = get_canonical_hostname(options.use_dns); ipaddr = get_remote_ipaddr(); } /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) if (match_user(pw->pw_name, hostname, ipaddr, options.deny_users[i])) { logit("User %.100s not allowed because listed in DenyUsers", pw->pw_name); return 0; } } - /* Return false if AllowUsers isn't empty and user isn't listed there */ + /* Check all of All...

...0 || access.num_allow_users > 0) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + } + + /* Return false if user is listed in DenyUsers */ + if (access.num_deny_users > 0) { + for (i = 0; i < access.num_deny_users; i++) + if (match_user(pw->pw_name, hostname, ipaddr, + access.deny_users[i])) + return 0; + } + + /* Return false if AllowUsers is non-empty, and user is not listed */ + if (access.num_allow_users > 0) { + for (i = 0; i < access.num_allow_users; i++) + if (match_user(pw->pw_nam...

...d/sshd.cat8 ? sshd/sshd_config.cat5 Index: auth.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth.c,v retrieving revision 1.48 diff -u -r1.48 auth.c --- auth.c 2003/06/02 09:17:34 1.48 +++ auth.c 2003/06/11 12:29:19 @@ -111,7 +111,7 @@ if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) break; - /* i < options.num_allow_users iff we break for loop */ + /* i < options.num_allow_users if we break for loop */ if (i >= options.num_allow_users) { logit("User %.100s not allowed because not lis...

...) error("setlogin failed: %s", strerror(errno)); +#ifdef CHROOT + + if (options.num_chroot_users > 0) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + for (i = 0; i < options.num_chroot_users; i++) { + if (match_user(pw->pw_name, hostname, ipaddr, + options.chroot_users[i])) { + if(chroot(pw->pw_dir) != 0) { + fatal("Couldn't chroot to user directory %s", + pw->pw_dir); + } + else + pw->pw_dir = new_root; + } + } + } + + +#endif /* CHROOT *...

While I was trying to get the patch to work on one of my AIX hosts (4.3.3), I discovered what is probably a bug in the section of code in session.c. for (i = 0; i < options.num_chroot_users; i++) { if (match_user(pw->pw_name, hostname, ipaddr, options.chroot_users[i])) { dir = chroot_dir(pw); /* 'dir' now points to memory block holding pathname */ new_home = dir; /* contents of 'dir' pointer copied to 'new_home' pointer */ xfr...

...de chars, implement the matcher using wchar_t chars in > Cygwin-specific code. Keep the generic code changes as small as possible. > Cygwin: implement case-insensitive Unicode user and group name matching Applied, thanks. I think it might be possible to make this less intrusive by adding a match_user_pattern_list() function that just calls match_pattern_list on Unix-alikes and the Cygwin specific function there. I'll take a look. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience....

...diff -u -p openssh-3.4p1/match.h openssh-3.4p1-hash/match.h --- openssh-3.4p1/match.h Mon Mar 4 20:42:43 2002 +++ openssh-3.4p1-hash/match.h Mon Mar 3 17:30:44 2003 @@ -20,5 +20,8 @@ int match_hostname(const char *, const int match_host_and_ip(const char *, const char *, const char *); int match_user(const char *, const char *, const char *, const char *); char *match_list(const char *, const char *, u_int *); +#ifdef HASH_KNOWN_HOSTS +int match_hashed_hostname(const char *, const char *, u_int); +#endif #endif Common subdirectories: openssh-3.4p1/openbsd-compat and openssh-3.4p1-hash/...

...Cygwin-specific code. Keep the generic code changes as small as possible. > > > Cygwin: implement case-insensitive Unicode user and group name matching > > > > Applied, thanks. > > > > I think it might be possible to make this less intrusive by adding a > > match_user_pattern_list() function that just calls match_pattern_list > > on Unix-alikes and the Cygwin specific function there. I'll take a > > look. > > How's this? If we push the match_usergroup_pattern_list() function up > to OpenBSD it should mean most future diffs will ap...

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer