search for: num_allow_us

...c --- auth.c 4 Nov 2002 10:07:53 -0000 1.46 +++ auth.c 16 Feb 2003 03:27:42 -0000 @@ -105,15 +105,16 @@ return 0; } } - /* Return false if AllowUsers isn't empty and user isn't listed there */ + /* Return true if person in AllowUsers, otherwise try the group test */ if (options.num_allow_users > 0) { for (i = 0; i < options.num_allow_users; i++) if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) - break; - /* i < options.num_allow_users iff we break for loop */ - if (i >= options.num_allow_users) { - log("User %.100s not al...

...@ -138,44 +138,85 @@ } if (S_ISREG(st.st_mode) == 0 || (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { logit("User %.100s not allowed because shell %.100s is not executable", pw->pw_name, shell); return 0; } - if (options.num_deny_users > 0 || options.num_allow_users > 0) { + if (options.num_deny_users > 0 || options.num_allow_users > 0 || + options.num_allow_users_fixedname > 0 || + options.num_allow_users_ipaddr > 0 ) { hostname = get_canonical_hostname(options.use_dns); ipaddr = get_remote_ipaddr(); } /* Return false if...

...s listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) ! if (match_pattern(pw->pw_name, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { --- 68,92 ---- shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ ! if (stat(shell, &st) != 0) { ! log("User %.100s not allowed because shell %.100s does not exist", ! pw-&...

...39;t contain the user's group + * return false. + * Otherwise, return true. + */ +int auth_allowed_user(struct passwd *pw, Authaccess access) +{ + const char *hostname = NULL, *ipaddr = NULL; + int i; + + if (!pw || !pw->pw_name) + return 0; + + if (access.num_deny_users > 0 || access.num_allow_users > 0) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + } + + /* Return false if user is listed in DenyUsers */ + if (access.num_deny_users > 0) { + for (i = 0; i < access.num_deny_users; i++) + if (match_user(pw->pw_name...

...====== RCS file: /cvs/src/usr.bin/ssh/auth.c,v retrieving revision 1.48 diff -u -r1.48 auth.c --- auth.c 2003/06/02 09:17:34 1.48 +++ auth.c 2003/06/11 12:29:19 @@ -111,7 +111,7 @@ if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) break; - /* i < options.num_allow_users iff we break for loop */ + /* i < options.num_allow_users if we break for loop */ if (i >= options.num_allow_users) { logit("User %.100s not allowed because not listed in AllowUsers", pw->pw_name); Index: monitor.c ==============================================...

...t include it in this patch. But it is very easy to implement if wanted so. -------------- next part -------------- diff openssh-SNAP-20000829/auth.c openssh/auth.c 53a54 > int user_in_allow_list = 0; 109a111,112 > { > user_in_allow_list = 1; 111,112c114,120 < /* i < options.num_allow_users iff we break for loop */ < if (i >= options.num_allow_users) --- > } > /* i < options.num_allow_users if we break for loop > to allow allow users and allow groups colive we can't > quit with error message when user wasn't listed in > allow u...

...(i = 0; i < options.num_deny_users; i++) - if (match_pattern(pw->pw_name, options.deny_users[i])) + if (match_user(pw->pw_name, hostname, ipaddr, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { + const char *hostname = get_canonical_hostname(options.reverse_mapping_check); + const char *ipaddr = get_remote_ipaddr(); for (i = 0; i < options.num_allow_users; i++) - if (match_pattern(pw->pw_name, options.allow_users[i])) + if (match_user(pw->pw_name, hostname,...

...c Thu Mar 1 15:45:03 2001 *************** *** 81,86 **** --- 81,87 ---- options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; + options->sys_environment_file = NULL; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; *************** *** 210,216 **** sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, ! sUseLog...

Would anybody happen to have or know of a patch to make /etc/default/login PATH and SUPATH the default openssh path? We have customized paths for each school of engineering (each have their own customized site bin). This is easily controled with /etc/default/login. The --with-default-path option is too rigid. This is Solaris I am talking about. --mike

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

...vconf.c --- openssh-2.2.0p1/servconf.c Fri Aug 18 05:59:06 2000 +++ openssh-2.2.0p1chroot/servconf.c Sun Oct 22 18:59:49 2000 @@ -68,6 +68,8 @@ #endif options->permit_empty_passwd = -1; options->use_login = -1; + options->use_chroot = -1; + options->chroot_group = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -158,6 +160,10 @@ options->permit_empty_passwd = 0; if (options->use_login == -1) options->use_login = 0; + if (options->use_chroot == -1) + options->use_chroot = 0; + if (options->chroot_gro...

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

....0 port 8088. The diff, in case you want to see what I actually did: -3.5p1-chroot/servconf.c --- openssh-3.5p1/servconf.c Thu Sep 5 00:35:15 2002 +++ openssh-3.5p1-chroot/servconf.c Mon Feb 10 13:52:34 2003 @@ -775,6 +775,7 @@ options->allow_users[options->num_allow_users++] = xstrdup(arg); } + debug3("Found %d AllowUsers", options->num_allow_users); break; case sDenyUsers: @@ -795,6 +796,7 @@ options->allow_groups[options->num_allow_groups++] =...

https://bugzilla.mindrot.org/show_bug.cgi?id=2346 Bug ID: 2346 Summary: sshd -T doesn't write all configuration options in valid format Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

...ized_principals_file); \ M_CP_STROPT(authorized_keys_command); \ M_CP_STROPT(authorized_keys_command_user); \ + M_CP_STROPT(ciphers); \ + M_CP_STROPT(macs); \ + M_CP_STROPT(kex_algorithms); \ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ M_CP_STRARRAYOPT(allow_users, num_allow_users); \ M_CP_STRARRAYOPT(deny_users, num_deny_users); \ Index: sshd.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd.c,v retrieving revision 1.426 diff -u -p -u -r1.426 sshd.c --- sshd.c 29 Apr 2014 18:01:49 -0000 1.426 +++ sshd.c 6 Jun 201...

...ag: intptr = &options->allow_tcp_forwarding; goto parse_flag; +#ifdef USE_PRIVSEP case sUsePrivilegeSeparation: intptr = &use_privsep; goto parse_flag; - +#endif case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) --- openssh-4.2p1/sshd.c~ 2005-07-26 12:54:56.000000000 +0100 +++ openssh-4.2p1/sshd.c 2006-01-07 18:12:40.000000000 +0000 @@ -200,9 +200,11 @@ u_int utmp_len = MAXHOSTNAMELEN; int *startup_pipes = NULL; int startup_pipe; /* in child */ +#ifdef USE_PRIVSEP /* variabl...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

...5:42:20 2000 +++ openssh-2.1.1p4-hein/servconf.c Sun Aug 27 12:36:00 2000 @@ -67,6 +67,9 @@ #ifdef SKEY options->skey_authentication = -1; #endif +#ifdef PAM_TIS + options->tis_authentication = -1; +#endif options->permit_empty_passwd = -1; options->use_login = -1; options->num_allow_users = 0; @@ -155,6 +158,10 @@ if (options->skey_authentication == -1) options->skey_authentication = 1; #endif +#ifdef PAM_TIS + if (options->tis_authentication == -1) + options->tis_authentication = 1; +#endif if (options->permit_empty_passwd == -1) options->permit_emp...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the