similar to: [Bug 1546] New: sshd_config DenyUsers does not recognize negated host properly

Greetings, This request is in the grey area between a bug report and an enhancement request. Request ------- Please apply the following diff (or something functionally similar) to file ``match.c'' in OpenSSH-5.1p1: 161a162,164 > } else { > if (negated) > got_positive = 1; /* Negative match, negated = Positive */ In case the lines above wrapped in the email

Hi, I hope this is the right place for a feature request. I'd like to have more flexible AllowUsers/DenyUsers synax. I am in a situation, where I have machines connected to three networks (a private, high speed, a public, and a private vpn) and I'd like to enable root logins only on the private networks. Currently I see no way of doing this, because there is no way to specify a

https://bugzilla.mindrot.org/show_bug.cgi?id=2292 Bug ID: 2292 Summary: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW

On Feb 22 16:02, Darren Tucker wrote: > On Fri, Feb 22, 2019 at 03:32:43PM +1100, Darren Tucker wrote: > > On Wed, 20 Feb 2019 at 23:54, Corinna Vinschen <vinschen at redhat.com> wrote: > > > The previous revert enabled case-insensitive user names again. This > > > patch implements the case-insensitive user and group name matching. > > > To allow Unicode

https://bugzilla.mindrot.org/show_bug.cgi?id=3193 Bug ID: 3193 Summary: Add separate section in sshd_config man page on Access Control Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

Here is a better patch. Somehow I pasted an older version of my edits: ------------------------------------------------------- % diff ./match.c /home/millerig/osrc/openssh-7.2p2/match.c 121a122 > char *low_string = 0; 156,159c157,168 < if (match_pattern(string, sub)) { < if (negated) < return -1; /* Negative */ < else --- > if (dolower) { > u_int j; >

Hi there, I have just compiled openssh-5.0 on Solaris 10, and am trying to set up a certain pattern of user access control. Essentially, regular users should be able to login from any network, while root should be able to login only from a private network 192.168.88.0/22. Actually, for the purpose of sshd_config, this is four networks, but that's another story... Here is what I tried:

https://bugzilla.mindrot.org/show_bug.cgi?id=1646 Summary: Match directive does not override default settings Product: Portable OpenSSH Version: 5.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

Hello, I have attached a small patch that enables OpenSSH 4.7p1 to use netgroups for users and hosts entries in the AllowUsers and DenyUsers configuration options in sshd_config. This has the following advantages: * hostnames or ip addresses don't have to be maintained in sshd_config, but you can use meaningful names for groups of users and groups of hosts. * large scale installations can

I want to allow a single host root access via ssh. If the order of processing DenyUsers, AllowUsers were reversed this cold be done in a straight forward manner. My question, is would adding an Apache-like derective Order Deny,Allow violate any standards or be a security problem? _____ Douglas Denault http://www.safeport.com doug at safeport.com

Windows usernames are case-insensitive and almost any Unicode character is allowed in a username. The user should be able to login with her username given in any case and not be refused. However, this opens up a security problem in terms of the sshd_config Match rules. The match rules for user and group names have to operate case-insensitive as well, otherwise the user can override her settings

Hi, I've just been adding a few extra hosts to my sshd_config's AllowUsers, and it's got a bit unwieldy. As far as I can tell from the sshd_config(5) and ssh_config(5) man pages, the *only* way to specify multiple AllowUsers patterns is on a single line, separated by spaces. With more than 6 or 7 patterns it starts wrapping on to multiple lines and gets hard to read, especially

Hi! I'm experimenting with migrating the custom sshd_config settings for our (Debian bullseye, openssh-server 8.4) server environment into fragments under sshd_config.d/, and am wondering about sshd's behaviour when encountering multiple AllowGroup lines. The manual states "For each keyword, the first obtained value will be used.", so that gives me the impression that any

On Thu, Dec 15, 2016 at 4:22 PM, Zev Weiss <zev at bewilderbeest.net> wrote: [...] > I tested (or tried) git commit b737e4d7 on three systems, with somewhat > mixed results. Thanks for the comprehensive testing! > On Mac OSX (macOS?) 10.9, configure failed with: > > ... > checking OpenSSL header version... 1000208f (OpenSSL 1.0.2h 3 May 2016) > checking

https://bugzilla.mindrot.org/show_bug.cgi?id=1690 Summary: AllowUsers and DenyGroups directives are not parsed in the order specified Product: Portable OpenSSH Version: 5.3p1 Platform: ix86 OS/Version: Linux Status: NEW Keywords: patch Severity: trivial Priority: P2 Component:

On Wed, 20 Feb 2019 at 23:54, Corinna Vinschen <vinschen at redhat.com> wrote: > The previous revert enabled case-insensitive user names again. This > patch implements the case-insensitive user and group name matching. > To allow Unicode chars, implement the matcher using wchar_t chars in > Cygwin-specific code. Keep the generic code changes as small as possible. > Cygwin:

https://bugzilla.mindrot.org/show_bug.cgi?id=1918 Bug #: 1918 Summary: match_pattern_list fails for negated failure Classification: Unclassified Product: Portable OpenSSH Version: 5.8p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd

We have some cases when copying indexes that we'd like rsync to avoid the system cache when copying a chunk of data from some other machine. I am probably going to modify our own copy of rsync to do this, but if we could write directly to the disk using direct-io (or from for that matter) we could avoid polluting the operating system's buffer cache before we're ready to use the new

The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated

While testing some AllowUsers and AllowGroups combinations I was surprised to find that one cannot be used to override the other. For example: AllowGroups administrators AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to create another group just for ssh, something like ssh-admins. This other