similar to: [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified

Hey everyone, After discussing the AllowGroups I think I've discovered a bug. The system is a solaris 8 system and the problem is that when I use AllowGroups with no AllowUsers args, the proper actions happen. Same with AllowUsers and no AllowGroups. When I try to combine the two, none of the Allow directives seem to take. Is it just me or maybe a bug? -James

I smacked into this previously reported bug today whereby an invalid keyword in the Match{} stanza did not throw an error on configuration reload. Are there any plans to fix this? Likewise the penchant for some fields to be comma separated and others to be spaces is just asking for mistakes. Why not support both and be done with it? There was no response (that I saw in the archives) to this post

https://bugzilla.mindrot.org/show_bug.cgi?id=2292 Bug ID: 2292 Summary: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW

Markus, ignore the other stuff I sent.. I need to go back to bed and stop trying to code.. <sigh> For everone else.. Will this make everyone happy? This does the follow. it will always honor AllowUsers. If there is no Allow/DenyGroups it stated they are not in allowUsers. IF there are AllowDenyGroups it tries them. And then stated they are not in either AllowUsers nor AllowGroups

Hello, I've trawled archives looking for changes in the "AllowUsers" option, manuals, changes log, reported bugs and to my surprise I can't find anything or anyone that has reported the issues that I am experiencing. I am using the default installation sshd_config file as supplied by Redhat and the only options I have changed are: ListenAddress AllowUsers The first problem

https://bugzilla.mindrot.org/show_bug.cgi?id=3193 Bug ID: 3193 Summary: Add separate section in sshd_config man page on Access Control Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

While testing some AllowUsers and AllowGroups combinations I was surprised to find that one cannot be used to override the other. For example: AllowGroups administrators AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to create another group just for ssh, something like ssh-admins. This other

The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated

http://bugzilla.mindrot.org/show_bug.cgi?id=999 Summary: AllowGroups ,DenyGroups failed to report hostname Product: Portable OpenSSH Version: 4.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy:

It seems the syntax for AllowUsers in sshd_config is not the same that is given in man sshd_config and in several documentation on the web. (http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config) e.g. AllowUsers root does work. AllowUsers root username does not work. If I try to login as root I get "User root from <hostname> not allowed because not listed in AllowUsers".

The following is a patch I've been working on to support a "ChrootUser" option in the sshd_config file. I was looking for a way to offer sftp access and at the same time restict interactive shell access. This patch is a necessary first step (IMO). It applies clean with 'patch -l'. Also attached is a shell script that helps to build a chrooted home dir on a RedHat 7.2

Hello! We have the server with RHEL 5.5 (64-bit) and need to connect many parallel users over ssh (OpenSSH). Usually we use openssh-4.4p1, builded from the sources with changed "servconf.h" file by this type: ???#define MAX_ALLOW_USERS ????????10000 ????/* Max # users on allow list. */ ???#define MAX_DENY_USERS ???????????10000 ????/* Max # users on deny list. */ ???#define

https://bugzilla.mindrot.org/show_bug.cgi?id=2391 Bug ID: 2391 Summary: Enhance AllowGroups documentation in man page Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee:

This is a port of a patch I contributed to ssh 1.2.23 in May 1998. I have missed the functionality after moving to OpenSSH so I have updated the patch and hope OpenSSH might accept it. The patch allows sshd_config to have lines like: AllowUsers root at localhost AllowUsers tridge@* AllowUsers guest at 192.168.2.* DenyUsers badguy@* etc. I found this useful for restricting users to only login

Hello, I have attached a small patch that enables OpenSSH 4.7p1 to use netgroups for users and hosts entries in the AllowUsers and DenyUsers configuration options in sshd_config. This has the following advantages: * hostnames or ip addresses don't have to be maintained in sshd_config, but you can use meaningful names for groups of users and groups of hosts. * large scale installations can

I have a number of development machines behind my OpenBSD firewall which all provide a very permissive development account (and easy sudo). I don't want this account exposed on the internet side of the firewall, so I created a doorstep account with no perms and really long passwords to get anywhere useful. I looked through the SSH book and it gave me the impression that I could set up these

Hi there, I have just compiled openssh-5.0 on Solaris 10, and am trying to set up a certain pattern of user access control. Essentially, regular users should be able to login from any network, while root should be able to login only from a private network 192.168.88.0/22. Actually, for the purpose of sshd_config, this is four networks, but that's another story... Here is what I tried:

Hello all, I have made SecurID authentication for OpenSSH 3.6.1p2. This patch was totaly rewritten, so please test it before use. Kbd-int authentication is now integrated into challenge response auth. Privsep is now fully suported. PS: What do you think of selective access to the individual authentications, similar to AllowGroups/DenyGroups or maybe AllowUsers/DenyUsers ? Vaclav Tomec

Hi, I hope this is the right place for a feature request. I'd like to have more flexible AllowUsers/DenyUsers synax. I am in a situation, where I have machines connected to three networks (a private, high speed, a public, and a private vpn) and I'd like to enable root logins only on the private networks. Currently I see no way of doing this, because there is no way to specify a

A short while ago, I looked at using the AllowUsers configuration option in openssh (v3.8p1 , but I believe this to be unchanged in 3.9p1) to restrict access such that only specific remote machines could access specific local accounts. I swiftly discovered that a) specifying wildcarded IP numbers to try to allow a useful IP range was pointless: if I specified AllowUsers joe at